Security experts believe Chinese nation-state attackers are actively exploiting two zero-day vulnerabilities in security products made by Ivanti.
If you're an admin or a user of the two products affected, VPN service Ivanti Connect Secure and network access control toolkit Policy Secure, you should immediately apply the current workaround in Ivanti's security update, the US Cybersecurity and Infrastructure Security Agency warned last night.
Successful exploitation allows for code execution after bypassing authentication, including MFA, and the vulnerabilities affect all supported versions, Ivanti said.
Ivanti believes fewer than ten victims have been successfully attacked thus far, but according to a Shodan scan by Beaumont, the number of vulnerable gateways exposed to the internet is just north of 15,000.
Ivanti is still developing patches, although the mitigation is available here.
Researchers at Volexity disclosed the findings from an investigation into a customer believed to be one of the victims successfully targeted by attacks chaining two zero-days in Ivanti Connect Secure and Policy Secure gateways.
While exploitation volume appears currently low, the disclosure of the two vulnerabilities means there is always the likelihood of attackers targeting organizations en masse now they know who and what to target.
The attackers also extracted user credentials by modifying a JavaScript file used by the Web SSL VPN component of ICS, allowing them to keylog user logins.
The credentials were then used by the attackers to gain access to other systems on the network, leading to an extensive compromise.
The two vulnerabilities were initially exploited in a short chain by the attackers - an unknown group Volexity tracks as UTA0178.
Underlining the severity of the exploits, CISA swiftly added the two vulnerabilities to its Known Exploited Vulnerability catalog, mandating all federal civilian executive branch agencies to apply the patches within three weeks.
Ivanti is currently working on patches, but due to its strict staggered schedule, some may not be released until February.
In the meantime, customers are encouraged to apply the mitigation for both vulnerabilities, which involves importing the mitigation.
Full details about the patch, the available mitigation, and IOCs can be found in Ivanti's advisory.
Volexity recommends three primary methods for detecting malicious activity on organizations' networks: network traffic analysis; VPN device log analysis; and using Ivanti's ICT tool.
Web requests associated with the exploits won't appear in the VPN device logs, meaning these alone won't be able to indicate whether a server is compromised.
Attackers were also spotted deleting logs as they went, which itself could indicate a potential compromise.
Neither Ivanti nor Volexity have suggested the apparent motives of the attackers.
Attackers were mainly observed sifting through user and configuration files, and testing access to systems.
If the China nexus of the attacks is genuine, the country's actions in cyberspace have traditionally been focused on espionage and the theft of intellectual property, though it is widely believed it has the capability to launch highly disruptive attacks.
This Cyber News was published on go.theregister.com. Publication date: Thu, 11 Jan 2024 15:43:15 +0000