Executive Summary
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a serious warning to users of Ivanti VPN appliances. This warning presents a new challenge in the cybersecurity landscape. Despite efforts to patch and reset devices, a lurking Ivanti nightmare persists with attackers potentially maintaining root-level persistence.
Reports of a Chinese Advanced Persistent Threat (APT) group, UNC5325, developing methods to exploit patched Ivanti devices further amplifies this concern.
These revelations mark a critical period for Ivanti customers. Consequently, the integrity of their networks is at risk from sophisticated cyber-espionage activities.
Ivanti has been addressing several critical vulnerabilities under widespread exploitation. Please refer to our previous news articles for more information about the recent Ivanti vulnerabilities.
CISA’s Warning
CISA’s advisory highlights a concerning scenario. Specifically, attackers could exploit Ivanti VPN appliances, retaining control over devices despite factory resets and patch applications.
These vulnerabilities, identified as CVE-2023-46805 (CVSS Score: 8.2), CVE-2024-21887 (CVSS Score: 9.1), CVE-2024-22024 (CVSS Score: 8.3), and CVE-2024-21893 (CVSS Score: 8.2), pose significant risks, including authentication bypass and command execution.
Alarmingly, Ivanti’s internal Integrity Checker Tool (ICT) failed to detect such compromises. This situation reveals a potential Ivanti nightmare, where attackers could maintain their foothold undetected.
In response to these findings, CISA issued several recommendations:
- Assume that user and service account credentials stored within the affected Ivanti VPN appliances are likely compromised.
- Hunt for malicious activity on networks using the detection methods and indicators of compromise (IOCs) provided in the advisory.
- Run Ivanti’s most recent external ICT.
- Apply available Ivanti’s patching guidance as version updates become available.
If a potential compromise is detected, organizations should collect and analyze logs and artifacts for malicious activity and follow the incident response recommendations within the advisory.
Despite Ivanti’s mitigation efforts, CISA still urges all Ivanti customers to consider the significant risk. Specifically, the risk of adversary access and persistence on Ivanti Connect Secure and Ivanti Policy Secure gateways. Consequently, organisations should carefully evaluate the decision to continue operating these devices in an enterprise environment.
A Chinese APT Group Preparing to Defeat Patched Ivanti Devices
Adding to the Ivanti nightmare, reports from Mandiant indicate Chinese espionage group UNC5325’s efforts to exploit Ivanti Connect Secure VPN appliances, despite patches and resets.
The group employs advanced techniques, including exploiting a server-side request forgery (SSRF) vulnerability and deploying custom backdoors. These tactics demonstrate a high level of adaptability and threat.
Fortunately, mismatches in encryption keys have prevented successful breaches for the time being.
The potential use of SparkGateway plugins for persistent backdoor deployment is particularly concerning. This highlights an advanced strategy for maintaining access and control over compromised devices.
Mandiant urges Ivanti customers to update their appliances with the latest patches and use the new external ICT. This tool helps detect persistence attempts.
Closing Comments
The advisory from CISA along with the evolving threat from Chinese APT groups highlight an ongoing cybersecurity battle.
Organizations using Ivanti appliances should pay attention to these warnings, recognizing the considerable risk posed by persistent adversaries. The situation requires a watchful and proactive approach to cybersecurity. This approach includes applying the latest patches and conducting a thorough analysis of network integrity to counter this ongoing threat.
- [CVSS 9+] CISA Alerts: Known Exploited Vulnerabilities to Patch Urgently
- Meta to Start Tagging AI-Created Content from May
- Sony’s MOVEit Breach: Employee Data Exposed
- Cloudflare Report Highlights Increased DDoS Attacks in Q1
- Continued MOVEit Data Breach: 3+ Million Individuals Affected
- Americans Report over $1B Lost to Impersonation Fraud