January 16, 2024 at 10:04AM
Ivanti Connect Secure (ICS) VPN users are at risk if they have not applied recent vulnerability mitigation. Over 1,700 devices have been compromised due to successful exploits. The attacks have targeted a wide range of organizations globally. Users are advised to run Ivanti’s Integrity Checker Tool to detect compromises and take necessary action if found.
Based on the meeting notes, it’s clear that there is a significant cybersecurity threat related to the Ivanti Connect Secure (ICS) VPN vulnerability. The notes highlight the following key points:
– There has been a sharp increase in successful exploits of two Ivanti zero-days, with at least 1,700 devices compromised.
– The attacks have escalated rapidly, affecting a wide range of organizations, including government agencies, militaries, tech companies, and financial services firms.
– Evidence suggests that attackers beyond the initial group responsible now have a working exploit, leading to mass exploitation.
– The majority of successful compromises are attributed to the group UTA0178, with a nexus in China, and a minority have come from other criminal groups.
– Another group, UTA0188, is also thought to be behind some exploit attempts.
– Most victims have been infected with a modified version of the GIFTEDVISITOR webshell.
– The concentration of vulnerable ICS appliances is highest in the US, Japan, China, Taiwan, and South Korea.
– Users are advised to run Ivanti’s internal and external Integrity Checker Tool to detect ongoing compromises.
Furthermore, it’s important to note that organizations are strongly recommended to proactively look for signs of lateral movement internally from their ICS VPN appliance and to conduct additional investigations and security measures if compromise is detected. This includes collecting logs, system snapshots, and forensics artifacts, as well as considering potential password resets and changing of sensitive data stored on the ICS VPN appliance.
In summary, the meeting notes indicate a serious and widespread cybersecurity threat, and organizations are strongly advised to take immediate action to assess and mitigate potential compromises to their systems.