A pair of zero-day flaws identified in Ivanti Connect Secure (ICS) and Policy Secure have been chained by suspected China-linked nation-state actors to breach fewer than 10 customers.
Cybersecurity firm Volexity, which identified the activity on one of its clients’ networks in the second week of December 2023, attributed it to a hacking group it tracks called UTA0178. There is evidence that the VPN device may have been compromised as early as December 3, 2023.
The two vulnerabilities that have been exploited to achieve unauthenticated command execution on ICS devices are as follows –
- CVE-2023-46805 (CVSS score: 8.2) – An authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
- CVE-2024-21887 (CVSS score: 9.1) – A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
Vulnerabilities can be built into an exploit chain to take over vulnerable instances on the Internet.
“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system,” Ivanti said in an advisory.
The company said it has observed attempts by threat actors to manipulate Ivanti’s internal integrity checker (ICT), which provides a snapshot of the current state of the device.
The patch is expected to be released in a sequential manner starting the week of January 22, 2024. In the interim, users are recommended to implement workarounds to protect against potential threats.
In the incident analyzed by Volexity, the twin flaws were said to have been employed to “steal configuration data, modify existing files, download remote files, and reverse tunnel from an ICS VPN appliance.”
The attacker further modified a legitimate CGI file (compcheck.cgi) on the ICS VPN appliance to allow command execution. Additionally, a JavaScript file loaded by the Web SSL VPN login page was altered to log keystrokes and exfiltrate credentials associated with users logging into the device.
“The information and credentials collected by the attacker allowed them to pivot to a handful of systems internally, and ultimately gain unfettered access to systems on the network,” Volexity researchers Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair, and Thomas Lancaster said.
The attacks also feature reconnaissance efforts, lateral movement, and the deployment of a custom web shell called Glasstoken via a backdoored CGI file to maintain persistent remote access to an external-facing web server.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in an alert of its own, said it has added the two shortcomings to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by January 31, 2024.
“Internet-accessible systems, especially critical devices such as VPN devices and firewalls, have once again become a favorite target of attackers,” Volexity said.
“These systems often sit on critical parts of the network, can’t run traditional security software, and typically sit at the perfect place for an attacker to operate. Organizations need to make sure they have a strategy in place to be able to monitor activity from these devices and quickly respond if something unexpected occurs.”
