Friday 9th February 2024
Writer: Ellen Hallam, Threat Intelligence Analyst | Editor: Georgia Moore
--------------------
A Chinese hacking group, motivated by espionage, exploited vulnerabilities in Ivanti Connect Secure VPN, to gain access to Ivanti VPN appliances. Initial activity was observed from 3rd December 2023.
The vulnerabilities have already been exploited in the wild at the time of publishing, and because an official patch hasn’t yet been released these are considered as zero-day vulnerabilities. These vulnerabilities include an authentication bypass vulnerability (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887) in Connect Secure and Policy Secure gateways, and a critical remote code execution (RCE) vulnerability (CVE-2023-39336) in Endpoint Management software.
If successfully exploited, a cyber threat actor could use these vulnerabilities to take control of an affected system.
Observation:
Ivanti have also announced the discovery of two more vulnerabilities:
The vulnerabilities affect Ivanti Connect Secure VPN (formerly Pulse Secure) and Ivanti Policy Secure appliances and impact all supported versions – Version 9.x to 22.x.
These vulnerabilities are severe enough that they caused the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to publish an emergency directive, suggesting that the vulnerabilities are being exploited by multiple threat actors. The products are used across the globe, and are vulnerable to successful compromise, with mitigations that are complex to implement.
Analyst Comment:
Based on the Involvement of the CISA, the vulnerabilities identified are being actively exploited by significant threat actors, suggesting the potential to cause significant damage to Organisations. Although the initial threat actor appears to be an Advanced Persistent Threat which is state-backed, Cybercriminals, who want to conduct more than just cyber espionage are likely to utilise these known vulnerabilities for criminal gain. It is therefore highly recommended that patches are installed as soon as possible to mitigate risks as soon as they are released.
Customer Actions:
Alongside CISA Supplementary direction, (for CVE-2023-21888 and CVE-2023-21893) Bytes recommend:
For all discovered issues:
Caveat: This is based on current, limited, knowledge, which should be further investigated and checked, before being applied to your systems.
For further detail and information on the sources, please read the full Threat Intelligence Assessment by clicking here.
If you have any questions, or would like to learn about any of the content covered in this blog, please email our friendly team via [email protected].
Want to keep informed? Sign up to our Newsletter