The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent directive on Friday, advising Federal Civilian Executive Branch (FCEB) agencies to take immediate action against two zero-day vulnerabilities found in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS). These threats have already been actively exploited by various malicious actors.
This call to action follows the discovery of an authentication bypass vulnerability (CVE-2023-46805) and a code injection flaw (CVE-2024-21887) that have garnered significant attention due to their broad exploitation potential. Both vulnerabilities enable attackers to send specially crafted requests that can execute arbitrary commands on compromised systems, posing dire risks to the integrity of data and operations within affected organizations.
The vulnerabilities were publicly disclosed, with Ivanti acknowledging a notable increase in threat activity as of January 11, 2024. This surge has raised alarms as security firms and analysts report that many devices connected via these platforms may be at risk, potentially allowing cybercriminals to exfiltrate sensitive information and establish persistent access to targeted networks.
CISA has indicated that successful exploitation of these vulnerabilities could lead to lateral movement within the network, data exfiltration, and overall compromise of information systems. In response, the agency is urging organizations utilizing ICS to deploy mitigations and employ an External Integrity Checker Tool to detect signs of any breach. Should any indications of compromise be uncovered, agencies are advised to isolate affected devices from their networks and execute required resets.
To further secure their systems, FCEB entities should revoke and reissue stored certificates, reset administrative passwords, secure API keys, and change the passwords of local users defined on the gateways. Ivanti is expected to release a fix for these vulnerabilities soon, while also providing interim solutions through an XML file to facilitate necessary configurations.
Research from cybersecurity firms, such as Volexity and Mandiant, has indicated that these vulnerabilities have been weaponized, allowing cyber actors to install web shells and backdoors on compromised devices. Reports suggest that approximately 2,100 devices globally may have been affected as of now, with attacks traced back to a December 2023 wave attributed to a Chinese nation-state group known as UTA0178.
The vulnerabilities have also been exploited opportunistically to deploy cryptocurrency miners, showcasing the multifaceted potential for financial gain among malicious actors exploiting these security flaws.
Censys has recently published findings indicating that as of January 22, 2024, there are 26,095 unique Connect Secure hosts exposed on the public internet, with at least 412 of them confirmed to have suffered from backdoor installations. These compromised systems are primarily located within the U.S., Germany, South Korea, and several other countries, emphasizing the global nature of this cybersecurity incident.
In analyzing these threats through the lens of the MITRE ATT&CK framework, tactics such as initial access and persistence are relevant in understanding the methods likely employed by attackers. The potential for privilege escalation and lateral movement within networks further highlights the serious implications of these vulnerabilities, reinforcing the importance of prompt and effective mitigation strategies for organizations at risk.
