February 29, 2024 at 01:35PM
The Cybersecurity and Infrastructure Security Agency (CISA) and its partners have issued a joint Cybersecurity Advisory to warn about cyber threat actors exploiting vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Threat actors can bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges. Organizations are urged to assume compromised credentials and hunt for malicious activity using provided indicators of compromise and detection methods. It is recommended to apply available patching guidance and report potential compromises to the appropriate authorities. Emergency action is required for Federal Civilian Executive Branch agencies. It is critical for organizations to validate and test their security controls to improve their cybersecurity posture against these threats. U.S. organizations should report potential cyber incidents to the U.S. government, and organizations outside the U.S. should contact their national cyber center. The advisory also provides specific MITRE ATT&CK tactics and techniques, as well as indicators of compromise for network defenders to utilize in detecting and responding to these threats. For additional details and technical specifics, please refer to the full advisory.
Based on the meeting notes, the key takeaways are as follows:
1. Cyber threat actors are actively exploiting vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways, including CVE-2023-46805, CVE-2024-21887, CVE-2024-22024, and CVE-2024-21893.
2. Cyber threat actors are able to deceive Ivanti’s Integrity Checker Tool (ICT), resulting in a failure to detect compromise.
3. The vulnerabilities impact all supported versions (9.x and 22.x) of Ivanti Connect Secure and Ivanti Policy Secure gateways and can be used to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges.
4. Existing security controls, such as the Ivanti ICT, have been found to be insufficient for detecting compromise, and cyber threat actors may be able to maintain root-level persistence despite issuing factory resets and appliance upgrades.
5. The authoring organizations recommend assuming that user and service account credentials stored within the affected Ivanti VPN appliances are likely compromised and encourage network defenders to hunt for malicious activity using detection methods and indicators of compromise provided in the advisory.
6. Multiple incident response engagements have revealed that threat actors have leveraged compromised accounts to move laterally within internal systems.
Additionally, organizations are encouraged to implement mitigations to improve their cybersecurity posture, validate security controls, and report potential cyber incidents to the appropriate authorities. It’s essential for organizations to follow the recommended detection methods, mitigation strategies, and incident response protocols outlined in the meeting notes to protect against these cyber threats.