January 22, 2024 at 01:27PM
Ivanti advises administrators to refrain from pushing new device configurations to appliances after applying mitigations as it renders them defenseless against ongoing attacks exploiting two zero-day vulnerabilities. There have been large-scale attacks targeting Ivanti ICS and IPS appliances, with companies issuing mitigation measures and recovery instructions. Thousands of exposed appliances are being compromised globally.
Based on the meeting notes, it is clear that Ivanti has issued a warning to administrators to stop pushing new device configurations to appliances after applying mitigations. This is because doing so will leave the appliances vulnerable to ongoing attacks exploiting two zero-day vulnerabilities. The warning specifies that a known race condition occurs when pushing configurations, causing a web service to stop and the applied mitigation to cease working. As a result, customers are advised to refrain from pushing configurations to appliances until they are patched.
The warning was prompted by the issuance of an emergency directive by CISA, which ordered U.S. agencies to immediately apply mitigations for two Ivanti Connect Secure and Policy Secure zero-day flaws that have been exploited in widespread attacks. These attacks have targeted Ivanti ICS and IPS appliances, exploiting authentication bypass and command injection bugs to move laterally within compromised networks, collect and exfiltrate data, and establish persistent system access through backdoors.
Although security patches have not been released, Ivanti has provided mitigation measures to block attack attempts and recovery instructions to help administrators restore impacted appliances. Notably, thousands of appliances are currently exposed online, with hundreds already hacked, prompting concerns about the scale and severity of the ongoing attacks.
Multiple threat actors, including a suspected Chinese state-backed threat group identified as UTA0178 (also tracked by Mandiant as UNC5221), have been actively exploiting the two zero-day vulnerabilities. These attackers have backdoored numerous Ivanti appliances, deployed cryptocurrency miners and malware payloads, and stolen account and session data from the compromised networks of various organizations worldwide.
The impacted entities span various industries, ranging from small businesses to Fortune 500 companies, as well as government and military entities, national telecom companies, defense contractors, technology companies, banking and finance organizations, as well as aerospace, aviation, and engineering firms.
The overall takeaway is that the situation poses a significant cybersecurity threat, and it is crucial for administrators to adhere to Ivanti’s warning and take appropriate measures to safeguard their appliances against the ongoing attacks.