Ivanti Connect Secure - not so Secure

12360131300?profile=RESIZE_400xThe recently discovered Ivanti Connect Secure zero-day vulnerabilities could impact thousands of systems and the threat actors caught exploiting them appear to have been preparing for the release of patches. https://www.ivanti.com Cyber threat investigators warned on 10 January 2024 that it had seen threat actors likely connected to China tracked as UTA0178 exploiting two previously unknown vulnerabilities in Ivanti Connect Secure (ICS) VPN devices to gain access to internal networks, with the goal of stealing valuable data.

According to the researchers, attackers exploited an authentication bypass flaw tracked as CVE-2023-46805 and a command injection issue identified as CVE-2024-21887.  Chaining the two security holes enables a remote, unauthenticated attacker to execute arbitrary commands on appliances.  Ivanti developers worked to come up with mitigations against exploitation of the zero-days, but patches are only expected to become available in the week of 22 January 2024.  The vendor noted that Connect Secure was formerly known as Pulse Connect Secure and Ivanti Policy Secure.

The US cybersecurity agency CISA has added the two zero-days to its known exploited vulnerabilities catalog, instructing government agencies to take action by 31 January 2024.  A Rapid7 spokesman noted that there appear to be more than 7,000 internet-exposed instances that could be vulnerable to attacks, a majority located in the United States, Japan and Europe.  Mandiant investigators have also conducted an analysis of attacks involving CVE-2023-46805 and CVE-2024-21887.  The company tracks the threat actor as UNC5221 but has not released any information on attribution and it has refrained from linking it to the Chinese government.  The company did, however, confirm that the likely goal appears to be espionage.  

The custom malware observed in the attacks is tracked as ThinSpool, LightWire, WireFire, WarpWire and ZipLine.  These pieces of malware are webshells, droppers, backdoors and information stealers.  Investigators believe they have been used as part of a targeted operation, with the attackers taking steps to maintain access to high-value compromised systems even after the release of patches by Ivanti.   ThinSpool acts as a key tool for both persistence and detection evasion, in addition to being the initial dropper for the LightWire web shell used by UNC5221 for post-exploitation activity.  The LightWire and WireFire web shells used by UNC5221, post-compromise, are lightweight footholds enabling further and continued access to the CS appliances.[1]  This indicates that these are not opportunistic attacks, and UNC5221 intended to maintain its presence on a subset of high priority targets that it compromised after a patch was inevitably released. Additionally, the WarpWire Javascript credential stealer may also enable further access to accounts for lateral movement or espionage by capturing plaintext login credentials.

Both Ivanti and Mandiant noted that CVE-2023-46805 and CVE-2024-21887 have been exploited in attacks since at least December 2023.  There will likely be more victims, but noted that many organizations don’t have the capabilities and resources to detect exploitation and respond to such attacks.  It is not uncommon for Ivanti product zero-day vulnerabilities to be exploited in attacks targeting important organizations.

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  Call for assistance.  For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com   

Weekly Cyber Intelligence Briefings:

Reporting: https://www.redskyalliance.org/

Website: https://www.redskyalliance.com/

LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings


[1] https://www.securityweek.com/malware-used-in-ivanti-zero-day-attacks-shows-hackers-preparing-for-patch-rollout/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!