Pre-auth RCE zero days in Ivanti VPNs are being exploited by a Chinese APT and there won’t be a patch for weeks. Buckle up.
Attackers re-write JavaScript loaded by the VPN login page for the Appliance to capture credentials; also grabbed Veeam credentials, moved laterally for full SYSTEM control.
Two critical vulnerabilities in Ivanti Connect Secure VPN devices are being exploited in the wild to achieve pre-authentication remote code execution.
There is no patch available yet. The exploits appear to have been used by attackers since December 3, 2023. They are wiping logs as they go.
The vulnerabilities let attackers bypass MFA. They affect all supported versions of Ivanti Connect Secure and Ivanti Policy Secure gateways.
Shodan searches suggest that there are over 15,000 instances exposed.
Ivanti vulnerabilities: CVE-2023-46805 and CVE-2024-21887 have been allocated.
The vulnerabilities have been allocated CVE-2023-46805 and CVE-2024-21887. They were identified during incident response by security researchers at memory forensics specialist Volexity – which said that the attackers exploiting the bugs had successfully pivoted laterally to “ultimately gain unfettered access to systems on the network…”
(Volexity's excellent, detailed and helpful write-up is here.)
It attributed the attacks to a “Chinese nation-state-level threat actor.” (Now that the Ivanti zero days have been disclosed, other attackers like ransomware groups are likely to commoditise and exploit them widely.)
Ivanti says 10 customers are known to have been breached.
As security researcher Kevin Beaumont noted on Mastodon: "There are likely more victims... Most orgs don't have the capability to detect suspected zero day exploitation of a VPN and call in Mandiant IR... they probably have Bob The Builder as an MSP and a security budget of 4 twigs."
Ivanti VPN vulnerabilities: Mitigate urgently
Alarmingly for customers, Ivanti said that final patches will not be released for five weeks and even the soonest will take a fortnight to deliver.
“Patches will be released in a staggered schedule with the first version targeted to be available to customers the week of 22 January and the final version targeted to be available the week of 19 February,” Ivanti said.
It provided mitigation instructions here. These involve importing mitigation.release.20240107.1.xml file via Ivanti's download portal.
Ivanti has over 40,000 customers, including 88 of the Fortune 100.
The attackers largely lived off the land, using stolen credentials to move laterally. Among other moves, they re-write the JavaScript loaded by the VPN login page for the VPN Appliance to capture credentials entered in it and used a script on GitHub to pull credentials from Veeam backups.
Oh sh*t how do I know if we got hit?
Volexity's blog is immensely helpful for defenders, far more so at this stage than Ivanti's advisory. It suggests that one way organisations can hunt for signs of compromise is "examine anomalous traffic originating from their VPN appliances. This includes both traffic destined for the Internet from the appliance and traffic from it to systems internally. While these devices are configured to allow remote users access into the network, IP addresses assigned to VPN users are typically separate from IP addresses used by the VPN appliance itself. Organizations can examine outbound network traffic from the VPN appliance to look for connections atypical of the device. From Volexity's Network Security Monitoring of client networks, it typically sees the VPN appliance connect back to download.pulsesecure[.]net and to any other customer-configured integrations, such as to an SSO or MFA provider. Example activity that Volexity observed from compromised VPN appliances that was irregular include the following:
- curl requests to remote websites
- SSH connections back to remote IPs
- Encrypted connections to hosts not associated with SSO/MFA providers or device updates
"Further, Volexity was able to detect threat activity by observing inbound network traffic from IP addresses associated with the VPN appliances. There is likely an expected amount of internal traffic associated with these devices for DNS services, directory integrations, and other related traffic that should be consistently seen. However, other internal traffic that Volexity observed that was not expected included the following:
- RDP and SMB activity to internal systems
- SSH attempts to internal systems
- Port scanning against hosts to look for systems with accessible services
If this all sounds worryingly familiar, cast your minds eye back to 2021.
In April 2021, Mandiant reported having "investigated multiple intrusions at defense, government, and financial organizations around the world. In each intrusion, the earliest evidence of attacker activity traced back to DHCP IP address ranges belonging to Pulse Secure VPN appliances."
"In many cases, we were not able to determine how actors obtained administrator-level access to the appliances. However, based on analysis by Ivanti, we suspect some intrusions were due to the exploitation of previously disclosed Pulse Secure vulnerabilities from 2019 and 2020 while other intrusions were due to the exploitation of CVE-2021-22893" it said.
Ivanti's large enterprise and government customer base makes it, like other gateway providers, a compelling target.
Follow the instructions for mitigation and start checking for compromise.
As security researchers at supply chain and firmware security specialist Eclypsium noted: "Network devices have become a favorite initial access vector for ransomware operators [as well as APTs!] because they exist in highly privileged parts of an organization and lack security tooling like EDR, while providing ample opportunity for lateral movement within the internal network and the ability to covertly route command and control traffic.
"Because the patch process can affect production traffic, remediation often lags weeks or months behind the normal patching cadence seen with desktop and server operating systems. For example, in June 2023, a 9.8 CVSS remote code execution bug was patched in Fortinet devices; three weeks later, 330k devices were still vulnerable..."
Pointing to certain such gateway providers' growing number of critical software bugs (Fortinet alone saw 185 vulnerabilities allocated CVEs in 2023), Eclypsium suggested that "organizations need to start incorporating product security evaluations into their vendor risk assessment processes."