Actively exploited 0-days in Ivanti VPN are letting hackers backdoor networks

The word ZERO-DAY is hidden amidst a screen filled with ones and zeroes.

reader comments

Unknown threat actors are actively targeting two critical zero-day vulnerabilities that allow them to bypass two-factor authentication and execute malicious code inside networks that use a widely used virtual private network appliance sold by Ivanti, researchers said Wednesday.

Ivanti reported bare-bones details concerning the zero-days in posts published on Wednesday that urged customers to follow mitigation guidance immediately. Tracked as CVE-2023-846805 and CVE-2024-21887, they reside in Ivanti Connect Secure, a VPN appliance often abbreviated as ICS. Formerly known as Pulse Secure, the widely used VPN has harbored previous zero-days in recent years that came under widespread exploitation, in some cases to devastating effect.

Exploiters: Start your engines

“When combined, these two vulnerabilities make it trivial for attackers to run commands on the system,” researchers from security firm Volexity wrote in a post summarizing their investigative findings of an attack that hit a customer last month. “In this particular incident, the attacker leveraged these exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance.” Researchers Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair, and Thomas Lancaster went on to write:

Volexity observed the attacker modifying legitimate ICS components and making changes to the system to evade the ICS Integrity Checker Tool. Notably, Volexity observed the attacker backdooring a legitimate CGI file (compcheck.cgi) on the ICS VPN appliance to allow command execution. Further, the attacker also modified a JavaScript file used by the Web SSL VPN component of the device in order to keylog and exfiltrate credentials for users logging into it. The information and credentials collected by the attacker allowed them to pivot to a handful of systems internally, and ultimately gain unfettered access to systems on the network.

The researchers attributed the hacks to a threat actor tracked under the alias UTA0178, which they suspect is a Chinese nation-state-level threat actor.

Citrix Bleed or designations including CVE-2023-36934, CVE-2022-47966, and CVE-2023-49103, which resided in the Citrix NetScaler Application Delivery Controller and NetScaler Gateway, MOVEit from maker Progress Software, 24 wares sold by Zoho-owned ManageEngine and ownCloud, respectively. Unless affected organizations move more quickly than they did last year to patch their networks, the latest vulnerabilities in the Ivanti appliances may receive the same treatment.

Researcher Kevin Beaumont, who proposed “Connect Around” as a moniker for tracking the zero-days, posted results from a scan that showed there were roughly 15,000 affected Ivanti appliances around the world exposed to the Internet. Beaumont said that hackers backed by a nation-state appeared to be behind the attacks on the Ivanti-sold device.

Map showing geographic location of ICS deployments, led by the US, Japan, Germany, France, and Canada.
Enlarge / Map showing geographic location of ICS deployments, led by the US, Japan, Germany, France, and Canada.
Article Tags:
Article Categories: