March 1, 2024 at 08:57AM
Five Eyes agencies warn of ongoing exploitation of Ivanti VPN flaws and encourage organizations to assume credentials have been compromised, hunt for malicious activity, use Ivanti’s Integrity Checker Tool, and apply patches. Ivanti releases enhanced ICT to detect new/changed files on affected appliances. Agencies offer IoCs, Yara rules, and incident response recommendations.种
Key takeaways from the meeting notes about Ivanti vulnerabilities and recommendations:
– Five Eyes government agencies warn of ongoing exploitation of three Ivanti VPN flaws by Chinese hackers allowing attackers to bypass authentication and execute commands with high privileges.
– The vulnerabilities, tracked as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, were patched on January 31 after being exploited as zero-days.
– Ivanti released an Integrity Checker Tool (ICT) to help organizations hunt for signs of compromise, but CISA reported that the ICT fails and a cyber threat actor may still gain root-level persistence despite factory resets.
– Organizations are advised to assume compromised credentials on affected appliances and to start hunting for malicious activity on their networks, run the latest version of Ivanti’s ICT, and apply available patches.
– The Five Eyes joint advisory includes indicators of compromise (IoCs), Yara rules for detection, and recommendations on incident response and mitigations.
– Ivanti stated that the technique used by CISA in lab research has not been observed in attacks, and implementing the same conditions in the wild would break the connection to the appliance, preventing attackers from gaining persistence.
– Ivanti announced the release of an enhanced ICT that detects new or changed files on affected appliances based on known threat activity.
– New sets of patches were released for affected products on February 8 and 14, with a recommendation for defenders to apply the available patching guidance and run Ivanti’s updated ICT for detecting known attack vectors alongside continuous monitoring.
The meeting notes emphasize the urgency for organizations to take action to address the Ivanti vulnerabilities, as well as the need for ongoing vigilance and monitoring in order to protect against potential threats.