More Ivanti VPN Zero-Days Fuel Attack Frenzy as Patches Finally Roll

  /     /     /  
Publicated : 23/11/2024   Category : security


More Ivanti VPN Zero-Days Fuel Attack Frenzy as Patches Finally Roll


Both China-backed APTs and ordinary cyberattackers have seized on a pair of Ivanti VPN bugs for global exploitation.



Ivanti has finally begun patching a pair of zero-day security vulnerabilities disclosed on Jan. 10 in its Connect Secure VPN appliances. However, it also announced two additional bugs today in the platform, CVE-2024-21888 and CVE-2024-21893 — the latter of which is also under active exploitation in the wild.
Ivanti has released its first round of patches
for the original set of zero-days (
CVE-2024-21887 and CVE-2023-46805
) but only for some versions; additional fixes will roll out on a staggered schedule in the coming weeks, the company said in its updated advisory today. In the meantime, Ivanti has provided a mitigation that unpatched organizations should apply immediately to avoid falling victim to
mass exploitation by Chinese state-sponsored actors
and financially motivated cybercriminals alike.
That
exploitation continues unabated
. According to Mandiant, a China-backed advanced persistent threat (APT) it calls UNC5221 has been behind reams of exploitations going back to early December. But activity in general has ramped up considerably since CVE-2024-21888 and CVE-2024-21893 were made public earlier in January.
In addition to UNC5221, we acknowledge the possibility that one or more related groups may be associated with the activity, Mandiant researchers said in
an Ivanti cyberattack analysis
released today. It is likely that additional groups beyond UNC5221 have adopted one or more of [the] tools [associated with the compromises].
To that point, Mandiant issued additional information on the types of malware that UNC5221 and other actors are using in the attacks on Ivanti Connect Secure VPNs. So far, implants they observed in the wild include:
A variant of the LightWire Web shell that inserts itself into a legitimate component of the VPN gateway, now featuring a different obfuscation routine.
Two UNC5221 custom Web shells, called ChainLine and FrameSting, which are backdoors embedded in Ivanti Connect Secure Python packages that enable arbitrary command execution.
ZipLine, a passive backdoor used by UNC5221 that uses a custom, encrypted protocol to establish communications with command-and-control (C2). Its functions include file upload and download, reverse shell, proxy server, and a tunneling server.
New variants of the WarpWire credential-theft malware, which steals plaintext passwords and usernames for exfiltration to a hard-coded C2 server. Mandiant does not attribute all of the variants to UNC5221.
And multiple open source tools to support post-exploitation activities like internal network reconnaissance, lateral movement, and data exfiltration within a limited number of victim environments.
Nation-state actors UNC5221 have successfully targeted and exploited vulnerabilities in Ivanti to steal configuration data, modify existing files, download remote files, and reverse tunnel within networks, says Ken Dunham, cyber-threat director at Qualys Threat Research Unit, who warns Ivanti users to be on the lookout for supply chain attacks on their customers, partners, and suppliers. Ivanti is likely targeted due [to] the functionality and architecture it provides actors, if compromised, as a networking and VPN solution, into networks and downstream targets of interest.
In addition to these tools, Mandiant researchers flagged activity that uses a bypass for Ivantis initial stopgap mitigation technique, detailed in the original advisory; in these attacks, unknown cyberattackers are deploying a custom cyber-espionage Web shell called Bushwalk, which can read or write to files to a server.
The activity is highly targeted, limited, and is distinct from the post-advisory mass exploitation activity, according to the researchers, who also provided extensive indicators of compromise (IoCs) for defenders, and YARA rules.
Ivanti and CISA released updated mitigation guidance
yesterday that organizations should apply.
In addition to rolling out patches for the three-week-old bugs, Ivanti also added fixes for two new CVEs to the same advisory. They are:
CVE-2024-21888 (CVSS score: 8.8): A privilege escalation vulnerability in the Web component of Ivanti Connect Secure and Ivanti Policy Secure, allowing cyberattackers to gain administrator privileges.
CVE-2024-21893 (CVSS score: 8.2): A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA, allowing cyberattackers to access certain restricted resources without authentication.
Only exploits for the latter have circulated in the wild, and the activity appears to be targeted, according to Ivantis advisory, but it added that organizations should expect a sharp increase in exploitation once this information is public — similar to what we observed on 11 January following the 10 January disclosure.
Qualys TRUs Dunham says to expect attacks from more than just APTs: Multiple actors are taking advantage of vulnerability exploitation opportunities prior to organizations patching and hardening against attack Ivanti is weaponized by nation-state actors and now likely others — it should have your attention and priority to patch, if youre using vulnerable versions in production.
Researchers also warn that the result of a compromise can be dangerous for organizations.
These [new] Ivanti high-security flaws are serious [and particularly valuable for attackers], and should be patched immediately, says Patrick Tiquet, vice president of security and architecture at Keeper Security. These vulnerabilities, if exploited, can grant unauthorized access to sensitive systems and compromise an entire network.

Last News

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
More Ivanti VPN Zero-Days Fuel Attack Frenzy as Patches Finally Roll