Home > News > New Malware Exploiting Ivanti VPN Vulnerabilities Emerges

New Malware Exploiting Ivanti VPN Vulnerabilities Emerges

: new malware exploiting ivanti vpn vulnerabilities emerges

Overview

The Ivanti VPN vulnerabilities have been exploited by hackers, including a China-nexus espionage threat actor known as UNC5221. Google-owned Mandiant found new malware used in post-exploitation activity targeting Ivanti Connect Secure VPN and Policy Secure devices. The malware includes custom web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and a variant of LIGHTWIRE. The infection chains exploit CVE-2023-46805 and CVE-2024-21887, which allow an unauthenticated threat actor to execute arbitrary commands on the Ivanti appliance with elevated privileges. These flaws have been abused as zero-days since early December 2023. Germany's Federal Office for Information Security (BSI) said it's aware of “multiple compromised systems” in the country.

Mandiant researchers discovered new malware employed by a China-linked APT group known as UNC5221 and other threat groups targeting Ivanti Connect Secure VPN and Policy Secure devices. The attackers were observed exploiting CVE-2023-46805 and CVE-2024-21887 to achieve persistence. The flaws have been abused as zero-days since early December 2023. Mandiant's analysis of the ZIPLINE passive backdoor has also uncovered its use of “extensive functionality to ensure the authentication of its custom protocol used to establish command-and-control (C2).” The attacks are characterized by the use of open-source utilities like Impacket, CrackMapExec, iodine, and Enum4linux to support post-exploitation activity on Ivanti CS appliances, including network reconnaissance, lateral movement, and data exfiltration within victim environments.

: new malware exploiting ivanti vpn vulnerabilities emerges
: New Malware Exploiting Ivanti Vpn Vulnerabilities Emerges

CISA Issues New Guidance

CISA issued supplemental guidance urging agencies running affected Ivanti to disconnect them from their networks “as soon as possible and no later than 11:59 p.m. on Friday February 2, 2024,” and look for signs of compromise before bringing them back live after applying the patches. Agencies have also been required to “assume domain accounts associated with the affected products have been compromised,” taking steps to reset passwords twice for on premise accounts, revoke Kerberos tickets, and then revoke tokens for cloud accounts in hybrid deployments by March 1, 2024.

Ivanti has since disclosed two more security flaws, CVE-2024-21888 and CVE-2024-21893, the latter of which has come under active exploitation targeting a “limited number of customers.” The company has also released the first round of fixes to address the four vulnerabilities. UNC5221 is said to target a wide range of industries that are of strategic interest to China, with its infrastructure and tooling overlapping with past intrusions linked to China-based espionage actors.

Frequently Asked Questions

What are the vulnerabilities found in Ivanti VPN products?

Three vulnerabilities have been identified in Ivanti VPN products, including Ivanti Connect Secure and Ivanti Policy Secure gateways. These vulnerabilities are CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. They affect all supported versions (9.x and 22.x) of Ivanti VPN products.

How can cyber attackers exploit Ivanti VPN vulnerabilities?

Cyber attackers can exploit Ivanti VPN vulnerabilities in a chain of exploits to enable malicious cyber activities. The vulnerabilities can allow attackers to execute arbitrary code with root privileges, bypass authentication, and access sensitive data.

What are the risks associated with using vulnerable Ivanti VPN solutions?

The risks associated with using vulnerable Ivanti VPN solutions include unauthorized access to sensitive data, data theft, and network compromise. Attackers can also install malware on the affected systems, which can lead to further damage and disruption.

What steps should users take to mitigate threats from Ivanti VPN vulnerabilities?

Users should install the latest patches and updates released by Ivanti to mitigate threats from Ivanti VPN vulnerabilities. They should also monitor their systems for any suspicious activities and report any security incidents to their IT department.

Are there any recent patches available for Ivanti VPN security flaws?

Yes, Ivanti has released patches for the identified vulnerabilities in Ivanti VPN products. Users are advised to install the latest patches and updates as soon as possible to protect their systems from cyber attacks.

How do Ivanti VPN vulnerabilities compare to other common VPN security issues?

Ivanti VPN vulnerabilities are similar to other common VPN security issues, such as remote code execution, authentication bypass, and privilege escalation vulnerabilities. However, the severity and impact of the vulnerabilities depend on the specific VPN product and the configuration of the affected systems.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.