Project Hyphae
Search

Alert: Ivanti Addresses Critical VPN Vulnerabilities Amid Active Exploitation by Threat Actors

Share This Post

On January 10, 2024, Ivanti disclosed two significant vulnerabilities (CVE-2023-46805 and CVE-2024-21887) in their Secure VPN and Policy Secure appliances. These vulnerabilities could lead to authentication bypass and command injection. Mandiant has identified these vulnerabilities being exploited by a suspected espionage group, UNC5221, starting from December 2023.

Ivanti, in collaboration with Mandiant and other partners, is addressing these issues by developing patches and has released mitigation guidance. UNC5221’s exploitation involves sophisticated malware, including the THINSPOOL dropper and LIGHTWIRE and WIREFIRE web shells, enabling persistent access and detection evasion.

The activities of UNC5221, with no confirmed links to known groups, suggest espionage motivations, highlighting the necessity of securing network perimeters. Ivanti urges customers to implement recommended mitigations and stay updated on patch releases.

Ivanti has released mitigation steps and are developing patches for supported versions, scheduled to be released in a staggered manner. The first patch is targeted for the week of January 22, with subsequent releases planned until the final version, expected in the week of February 19. Ivanti will also provide instructions on upgrading to a supported version. However, these dates are subject to change as Ivanti prioritizes the security and quality of each release, and updates will be provided if any changes occur. Customers are urged to implement the recommended mitigations and stay updated on the patch release schedule to mitigate these risks.

It is important to note that while patches and mitigations are crucial, web shells installed by UNC5221 will persist beyond these measures. Therefore, it is recommended to actively search for IOCs (Indicators of Compromise) after applying patches and mitigations to ensure complete removal of any threats. If assistance is needed in this process, the csirt team at FRSecure can be contacted at csirt@frsecure.com. They can provide expertise and support in identifying and mitigating any remaining threats on the network. This step is critical to ensure that the network is fully secured and that all traces of the intrusion are eradicated.

Mitigation steps:

https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

Ivanti “Integrity Checker Tool”:

https://forums.ivanti.com/s/article/KB44755?language=en_US

Additional links:

https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day#:~:text=Mandiant%20has%20identified%20zero%2Dday,Volexity%20to%20address%20these%20issues

https://www.bleepingcomputer.com/news/security/ivanti-warns-of-connect-secure-zero-days-exploited-in-attacks/



Reach out to our incident response team for help

More To Explore

Information Security News 8-26-2024

Major Backdoor in Millions of RFID Cards Allows Instant Cloning Article Link: https://www.securityweek.com/major-backdoor-in-millions-of-rfid-cards-allows-instant-cloning Georgia Tech Sued Over Cybersecurity Violations https://www.infosecurity-magazine.com/news/georgia-tech-sued-cybersecurity Halliburton Hit by Cyberattack, Operations

Information Security News 8-19-2024

Hackers Leak 2.7 Billion Data Records with Social Security Numbers Article Link: https://www.bleepingcomputer.com/news/security/hackers-leak-27-billion-data-records-with-social-security-numbers DDoS Attacks Surge 46% in First Half of 2024 Article Link: https://thehackernews.com/2024/08/ddos-attacks-surge-46-in-first-half-of.html

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.