There's patch coming, right?

Ivanti VPN appliance exploitation now happening at scale

VPN appliances "all appear to have been constructed with the code equivalent of string, stamped with the word ‘secure’ and then just left to decay for 20 years..."

Public disclosure of a critical vulnerability in Ivanti Connect Secure VPNs has triggered the threat actor to begin mass exploitation before organisations mitigate, with over 1,500 now breached using the bug. And other less skilled threat actors are now also attacking exposed instances.

That’s according to security researchers at Volexity, who say that they have identified exploitation of exposed appliances at aerospace, banking, consulting, defence, finance, government, and telecommunications firms. "Security" company Ivanti meanwhile still has not pushed a fix.

Shadowserver currently tracks over 17,000 ICS VPN appliances exposed. Mandiant has identified five distinct malware families associated with post-exploitation activity and identified it as an "espionage-motivated APT campaign." It has shared YARA rules and IOCs for threat-hunters here.

Volexity first reported the two vulnerabilities on January 10. They can be chained to achieve pre-authentication remote code execution. There is no patch available yet from Ivanti and the exploits appear to have been used by a Chinese APT since December 3, 2023, which is wiping logs as it goes.

See also: The slow demise of the VPN: 5 lessons from DoD's Zero Trust framework

The vulnerabilities, CVE-2023-46805 and CVE-2024-21887, let attackers bypass MFA. They affect all supported versions of Ivanti Connect Secure and Ivanti Policy Secure gateways. The attackers are moving laterally to other systems, living off the land and stealing credentials, including by re-writing the JavaScript loaded by a VPN login page to capture credentials entered in it and using a script on GitHub to pull credentials from Veeam backups, before dropping a variety of webshells for persistence.

Mass attacks appear to have started on January 11: “Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals” said Volexity this week.

“Investigations of newly found compromised devices showed they had been backdoored with a slightly different variant of the GIFTEDVISITOR webshell documented in the “visits.py modification - GIFTEDVISITOR” section of Volexity’s recent blog post… a unique AES key has likely been employed on each victim system as part of the widespread compromise. 

At minimum, customers should:

Many security organisations are far from impressed by Ivanti's lacklustre response. As a team at offensive security firm watchTowr Labs puts it: "We (watchTowr) hate SSLVPN appliances. Not the concept of them, but that they all appear to have been constructed with the code equivalent of string, stamped with the word ‘secure’ and then just left to decay for 20 years.

"What makes this situation even more 'offensive' is Ivanti’s response (or lack of) to these vulnerabilities especially given the context - at the time of writing, a mitigation XML file is all that is available, with staggered patches available from the 22nd Jan 2024 per Ivanti. Yes, really. We’re tired of the lack of responsibility taken by organisations when their devices are the literal gate between the Internet and their internal networks and hold an incredibly critical, and sensitive position in any network architecture."

If you conceivably can, perhaps start thinking about life without VPNs: As the US Department of Defense put it last year: "VPNs pose a threat to enterprise security. They create a path in the network perimeter and provide access to network resources after authentication" and as one COO put it The Stack recently: “IT's need to manage you on-network is going. Previously, for example, you would have to be on-network for us to manage your device. The rollout many people are doing at the moment [including SASE adoption] moves that management to the cloud. So you can be on-network or off-network and IT can still patch and vuln-test your machine..."

Join peers following The Stack on LinkedIn