2024-01-10 22:01:00
Ivanti Connect Secure and Ivanti Policy Secure are not. By linking two zero-day vulnerabilities, attackers can take over the devices, install and run programs there, bypass access controls, manipulate files and collect entered passwords. These then allow other devices in the company network to be infiltrated. Volexity observed this with a customer at the beginning of December and informed Ivanti. After forensic analysis, the two companies are now going public.
Advertisement
Ivanti doesn’t have any patches yet. The company recommends currently using external integrity testing (ICT) as “mitigation”. Although the affected Ivanti products themselves have an ICT, the attackers also bypass this. Updates are in the works for versions of Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for Zero Trust Access (ZTA) that are still supported. The first patches are scheduled to appear the week following next, but for some product versions customers will have to wait until mid-February.
The actively exploited vulnerabilities are CVE-2023-46805 (CVSS 8.2) and CVE-2024-21887 (9.1). The former allows authentication to be bypassed, while the latter allows unauthorized injection of commands into web components. Ivanti’s ZTA solution is not affected in normal operating conditions, but is affected in unusual operating conditions, which is why updates are also on the schedule for this.
Ivanti Connect Secure (formerly Pulse Connect Secure) is a virtual private network (VPN) gateway. Ivanti Policy Secure is used for access control in networks (Network Access Control, NAC). This is intended to ensure granularly that devices or programs only have access to selected data sets or other devices. This is intended to prevent a compromised program or device from giving the attacker access to all possible assets in the company network. Anyone who hijacks both VPN and NAC and collects login data has hit the jackpot.
Forensic Analysis
This is exactly what attackers have already managed to do, like the IT security experts at Volexity report. In December, a Volexity product installed at an unnamed customer discovered unusual traffic on the internal network. Volexity was eventually able to connect this to the Ivanti Connect Secure VPN gateway. There the experts found all logs deleted; other logs showed traces of suspicious connections to the outside world. Forensic analysis of memory data ultimately led to the two zero-day vulnerabilities.
Volexity believes it recognizes a state institution from the People’s Republic of China behind the attackers. For now, the company simply refers to the perpetrators as UTA0178 (unknown threat actor 178). Their agents gained access no later than December 3, 2023 and did a great job. For example, they built a backdoor into the compcheck.cgi file to mislead the internal integrity checks on the one hand and to be able to execute commands on the VPN gateway on the other.
Javascript was manipulated to record VPN users’ keyboard entries and transmit them to an external server. The attackers stole access data that then allowed access to the victim’s other computers via RDB, SMB and SSH. The perpetrators installed reserve SOCKS proxies, SSH tunnels, and various webshells that Volexity calls “Glasstokens.” This meant that computers that were actually only accessible on the intranet were opened up to the Internet.
The perpetrators used memory dumps and gained access to backups, including the backup of a domain controller whose Active Directory they stole. They found additional usernames and passwords in a Veeam backup. Various folders and files were created in the tmp directory but then removed once more, so a complete overview is not yet given. In general, the forensic investigations are continuing; Volexity promises updates to the blog post if new information becomes available.
As far as is known, the perpetrators did not destroy or encrypt any extensive data, but did extensively look around the company network and observe it. This is also an indication that the perpetrators are not ordinary criminals but criminals on behalf of the state.
What to do
As mentioned, there are no patches yet and Ivanti recommends using a separate integrity checker. It is intended to detect when files on the Ivanti devices are not as they should be – a clear indication of possible manipulation.
Volexity also recommends paying close attention to data traffic. Surprising network traffic, logs from devices in the VPN, unusual file access, strange cross-connections within the company network, curl calls to external websites, SSH connections to external IP addresses, certain encrypted connections to servers that are not known to provide updates are still part of the login or multifactor authentication, RDP, SMB and SSH activity on internal systems as well as port scans can be indications of a problem.
If the worst comes to the worst, the Ivanti systems should not simply be reinstalled; Rather, it is important to secure logs, system snapshots and forensic data from RAM and hard drives. This enables the search for further access violations. Volexity provides a list of known domains and IP addresses used by the attackers. Passwords and associated secret authentication data may be considered compromised.
(ds)
To home page
1704933942
#days #actively #Ivanti #Connect #Secure #Policy #Secure
