On January 10, 2024, Ivanti disclosed two significant vulnerabilities (CVE-2023-46805 and CVE-2024-21887) in their Secure VPN and Policy Secure appliances. These vulnerabilities could lead to authentication bypass and command injection. Mandiant has identified these vulnerabilities being exploited by a suspected espionage group, UNC5221, starting from December 2023.
Ivanti, in collaboration with Mandiant and other partners, is addressing these issues by developing patches and has released mitigation guidance. UNC5221’s exploitation involves sophisticated malware, including the THINSPOOL dropper and LIGHTWIRE and WIREFIRE web shells, enabling persistent access and detection evasion.
The activities of UNC5221, with no confirmed links to known groups, suggest espionage motivations, highlighting the necessity of securing network perimeters. Ivanti urges customers to implement recommended mitigations and stay updated on patch releases.
Ivanti has released mitigation steps and are developing patches for supported versions, scheduled to be released in a staggered manner. The first patch is targeted for the week of January 22, with subsequent releases planned until the final version, expected in the week of February 19. Ivanti will also provide instructions on upgrading to a supported version. However, these dates are subject to change as Ivanti prioritizes the security and quality of each release, and updates will be provided if any changes occur. Customers are urged to implement the recommended mitigations and stay updated on the patch release schedule to mitigate these risks.
It is important to note that while patches and mitigations are crucial, web shells installed by UNC5221 will persist beyond these measures. Therefore, it is recommended to actively search for IOCs (Indicators of Compromise) after applying patches and mitigations to ensure complete removal of any threats. If assistance is needed in this process, the csirt team at FRSecure can be contacted at csirt@frsecure.com. They can provide expertise and support in identifying and mitigating any remaining threats on the network. This step is critical to ensure that the network is fully secured and that all traces of the intrusion are eradicated.
Mitigation steps:
Ivanti “Integrity Checker Tool”:
https://forums.ivanti.com/s/article/KB44755?language=en_US
Additional links: