The US Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued an emergency directive urging Federal Civilian Executive Branch (FCEB) agencies to implement mitigations against two actively exploited zero-day flaws in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products.
The development came after the vulnerabilities – an authentication bypass (CVE-2023-46805) and a code injection bug (CVE-2024-21887) – came under widespread exploitation of the vulnerabilities by multiple threat actors. The flaw allows a malicious actor to craft malicious requests and execute arbitrary commands on the system.
The US company acknowledged in an advisory that it had seen a “sharp increase in threat actor activity” since January 11, 2024, after the vulnerabilities were publicly disclosed.
“Successful exploitation of vulnerabilities in these affected products allows a malicious threat actor to move laterally, exfiltrate data, and establish persistent system access, resulting in a complete compromise of the target information system,” the agency said.
Ivanti, which is expected to release an update next week to fix the flaw, has made a temporary fix available via an XML file that can be imported into affected products to make the necessary configuration changes.
CISA is urging organizations running ICS to apply mitigations and run an external integrity checker tool to identify signs of compromise, and if found, disconnect them from the network and reset the device, followed by Import XML file.
Additionally, FCEB entities are urged to revoke and reissue any stored certificates, reset administrator enablement passwords, store API keys, and reset any local user passwords defined on the gateway.
Cybersecurity firms Volexity and Mandiant have seen attacks weaponizing the dual flaws to deploy web shells and passive backdoors for persistent access to compromised devices. It is estimated that around 2,100 devices have been compromised worldwide so far.
The initial attack wave identified in December 2023 has been attributed to a Chinese nation-state group that is being tracked as UTA0178. Mandiant is tracking activity under the alias UNC5221, although it has not been linked to any specific group or country.
Threat intelligence firm GreyNoise said it has consistently seen backdoors and vulnerabilities being exploited to take down XMRig cryptocurrency miners, indicating opportunistic exploitation by bad actors for financial gain.
