Infoseccers think attackers backed by China are behind Ivanti zero-day exploits

Security experts believe Chinese nation-state attackers are actively exploiting two zero-day vulnerabilities in security products made by Ivanti.

If you're an admin or a user of the two products affected, VPN service Ivanti Connect Secure (ICS) and network access control toolkit Policy Secure, you should immediately apply the current workaround in Ivanti's security update, the US Cybersecurity and Infrastructure Security Agency (CISA) warned last night.

ICS is used widely in enterprises and governments, and more victims are likely to surface now the vulnerabilities have been disclosed, according security researcher Kevin Beaumont.

Successful exploitation allows for code execution after bypassing authentication, including MFA, and the vulnerabilities affect all supported versions, Ivanti said.

Ivanti believes fewer than ten victims have been successfully attacked thus far, but according to a Shodan scan by Beaumont, the number of vulnerable gateways exposed to the internet is just north of 15,000. Ivanti is still developing patches, although the mitigation is available here.

Researchers at Volexity disclosed the findings from an investigation into a customer believed to be one of the victims successfully targeted by attacks chaining two zero-days in Ivanti Connect Secure (ICS) and Policy Secure gateways.

While exploitation volume appears currently low, the disclosure of the two vulnerabilities means there is always the likelihood of attackers targeting organizations en masse now they know who and what to target.

"When combined, these two vulnerabilities make it trivial for attackers to run commands on the system," blogged Volexity researchers Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair, and Thomas Lancaster.

"In [one] particular incident, the attacker leveraged these exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance. Volexity observed the attacker modifying legitimate ICS components and making changes to the system to evade the ICS Integrity Checker Tool (ICT). 

"Notably, Volexity observed the attacker backdooring a legitimate CGI file (compcheck.cgi) on the ICS VPN appliance to allow command execution."

The attackers also extracted user credentials by modifying a JavaScript file used by the Web SSL VPN component of ICS, allowing them to keylog user logins. The credentials were then used by the attackers to gain access to other systems on the network, leading to an extensive compromise.

The two vulnerabilities and potential exposure

The two vulnerabilities were initially exploited in a short chain by the attackers – an unknown group Volexity tracks as UTA0178.

See below for Ivanti's description of the two issues:

• CVE-2023-46805 (8.2 severity score – "high"): An authentication bypass vulnerability in the web component of ICS (9.x, 22.x) and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks
• CVE-2024-21887 (9.1 severity score – "critical"): A command injection vulnerability in web components of ICS (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet

Underlining the severity of the exploits, CISA swiftly added the two vulnerabilities to its Known Exploited Vulnerability (KEV) catalog, mandating all federal civilian executive branch (FCEB) agencies to apply the patches within three weeks.

Ivanti's patches and mitigations

Ivanti is currently working on patches, but due to its strict staggered schedule, some may not be released until February.

The first batch is expected to drop in the week commencing January 22 with the last expected in the week starting February 19.

Patches won't be released in version order either. The company said it's using its own telemetry to develop patches for the most-installed versions first, continuing in descending order of user numbers.

Regarding its staggered schedule, Ivanti said its focus is to get patches out to customers "as quickly as possible" but to ensure a high quality of each release, a staggered schedule is required.

• Fidelity National now says 1.3M customers had data stolen by cyber-crooks
• Cybercrooks play dress-up as 'helpful' researchers in latest ransomware ruse
• US Navy sailor swaps sea for cell after accepting bribes from Chinese snoops
• Apache OFBiz zero-day pummeled by exploit attempts after disclosure

In the meantime, customers are encouraged to apply the mitigation for both vulnerabilities, which involves importing the mitigation.release.20240107.1.xml file via the customer download portal.

"We have seen evidence of threat actors attempting to manipulate Ivanti's internal integrity checker (ICT)," it said in a detailed advisory. "Out of an abundance of caution, we are recommending that all customers run the external ICT. We have added new functionality to the external ICT that will be incorporated into the internal ICT in the future. We regularly provide updates to the external and internal ICT, so customers should always ensure they are running the latest version of each.

"The ICT is a snapshot of the current state of the appliance and cannot necessarily detect threat actor activity if they have returned the appliance to a clean state. The ICT does not scan for malware or other indicators of compromise (IOCs). We recommend as a best practice for customers to always run the ICT in conjunction with continuous monitoring."

Full details about the patch, the available mitigation, and IOCs can be found in Ivanti's advisory.

Volexity recommends three primary methods for detecting malicious activity on organizations' networks: network traffic analysis; VPN device log analysis; and using Ivanti's ICT tool.

However, web requests associated with the exploits won't appear in the VPN device logs, meaning these alone won't be able to indicate whether a server is compromised. Attackers were also spotted deleting logs as they went, which itself could indicate a potential compromise.

Who's behind the attacks?

Very little is known about UTA0178. Researchers believe it is a nation-state operation running out of China.

Neither Ivanti nor Volexity have suggested the apparent motives of the attackers. Aside from stealing credentials to hop between victims' systems, the primary goal of this activity appeared to be reconnaissance and exploration, Volexity said. Attackers were mainly observed sifting through user and configuration files, and testing access to systems.

If the China nexus of the attacks is genuine, the country's actions in cyberspace have traditionally been focused on espionage and the theft of intellectual property, though it is widely believed it has the capability to launch highly disruptive attacks.

This is still the case in 2024, according to Microsoft's most recent Digital Defense report, which explains that China primarily targets governments, corporations, and defense and critical infrastructure organizations to collect intelligence.

Those targets are set on the US and nations in the South China Sea, such as Taiwan and the Philippines, and their strategic partners such as Malaysia, Indonesia, and Kazakhstan. ®