CISA Issues Alert on Exploits of Ivanti Connect Secure and Policy Secure VPN Solutions

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with other government partners, issued a new alert this week about the compromise of some Ivanti virtual private network (VPN) technologies.

The Feb. 29 CISA alert cautioned that old vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways, in "all supported versions (9.x and 22.x)," are still subject to exploitation by attackers. Moreover, these attackers are able to "deceive Ivanti's internal and external Integrity Checker Tool (ICT), resulting in a failure to detect compromise."

The attackers are thought to be China affiliated and are using the vulnerabilities to set up persistent "webshells on internal and external-facing web servers," according to cybersecurity company Volexity, which first detected the exploits.

CISA's Feb. 29 alert is kind of an update to vulnerabilities discovered initially by Volexity back in December 2023, but publicly reported by Volexity on Jan. 10. Volexity had found that the attackers had chained two vulnerabilities initially. Eventually, a total of five vulnerabilities were detected, as listed in this Ivanti knowledge base article on CVE-2023-46805 and CVE-2024-21887.

That knowledge base article, last modified on Feb. 29, stated that Ivanti was "aware of less than 20 customers impacted by the vulnerabilities prior to public disclosure," likely back in January. No newer number was given.

CISA's Advice
CISA's alert advised organizations to "run Ivanti's most recent external ICT" and follow Ivanti's patch guidance after initially checking for possible malicious network activity.

Ivanti has an internal ICT, which apparently could be defeated by the attackers at some point, and an external ICT. It was a "previous external ICT" that could fail to detect compromise, per CISA's explanation.

Ivanti Issues New External ICT
Ivanti has released an "enhanced external Integrity Checking Tool," which apparently is the tool that Ivanti Connect Secure and Ivanti Policy Secure customers should use. The new external ICT is described in this Feb. 29 Ivanti announcement.

"Ivanti is releasing a new enhancement to the external Integrity Checker Tool (ICT), which provides additional visibility into a customer's appliance and all files that are present on the system," the announcement explained.

Ivanti previously advised carrying out a factory reset of the VPN appliances, plus patching, to deal with possible exploits. It also recommended running its "internal and updated external ICT," along with "continuous monitoring." Customers using its virtual appliances that didn't take the earlier advised action of resetting the appliances should now instead deploy "a new build of Ivanti Connect Secure," per Ivanti's Feb. 29 announcement.

Ivanti included an "update" note in the announcement claiming that CISA did not find an "in the wild exploit" with its recent lab work, as described in its Feb. 29 alert. Here's Ivanti's statement to that end:

It is important to note that this lab-based finding has not been observed by CISA, Ivanti or Mandiant in the wild, and based on the evidence presented and further analysis by our team, we believe that if a threat actor were to attempt this remotely they would lose connection to Ivanti Connect Secure, and not gain persistence in a live customer environment.

However, CISA and its government coauthors didn't seem to be giving Ivanti much of a vote of confidence. Here's the concluding advice in the CISA alert:

The authoring organizations strongly urge all organizations to consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment.

CISA's alert also included a helpful bulleted list of risk considerations for organizations to consider when choosing VPNs. This list can be found under the "Mitigations" subhead of the alert.

CISA's alert was authored by CISA, along with the FBI, the Multi-State Information Sharing and Analysis Center, Australia's Signals Directorate, the UK's National Cyber Security Centre, Canada's Cyber Centre, New Zealand's Cyber Security Centre and New Zealand's CERT.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube