Two zero-day vulnerabilities affecting Ivanti's Connect Secure VPN and Policy Secure network access control appliances are now under mass exploitation.
As discovered by threat intelligence company Volexity, which also first spotted the zero-days being used in attacks since December, multiple threat groups chain the CVE-2023-46805 authentication bypass and the CVE-2024-21887 command injection vulnerabilities in widespread attacks starting January 11.
The attackers backdoored their targets' systems using a GIFTEDVISITOR webshell variant which was found on hundreds of appliances.
While Ivanti is yet to release patches for these two actively exploited zero-days, admins are advised to apply mitigation measures provided by the vendor on all ICS VPNs on their network.
Threat monitoring service Shadowserver currently tracks more than 16,800 ICS VPN appliances exposed online, almost 5,000 in the United States.
As Ivanti disclosed last week, attackers can run arbitrary commands on all supported versions of ICS VPN and IPS appliances when successfully chaining the two zero days.
Attacks have now escalated from a limited number of customers impacted by attacks exploiting these vulnerabilities, with the suspected Chinese state-backed threat actor now being joined by multiple others.
Zipline Passive Backdoor: custom malware that can intercept network traffic, supports upload/download operations, creates reverse shells, proxy servers, server tunneling.
Thinspool Dropper: custom shell script dropper that writes the Lightwire web shell onto Ivanti CS, securing persistence.
Wirefire web shell: custom Python-based web shell supporting unauthenticated arbitrary command execution and payload dropping.
Lightwire web shell: custom Perl web shell embedded in a legitimate file, enabling arbitrary command execution.
The most notable is ZIPLINE, a passive backdoor that intercepts incoming network traffic and provides file transfer, reverse shell, tunneling, and proxying capabilities.
Suspected Chinese hacking groups used another ICS zero-day tracked as CVE-2021-22893 two years ago to breach dozens of U.S. and European government, defense, and financial organizations.
Last year, starting in April, two other zero-days in Ivanti's Endpoint Manager Mobile were tagged as actively exploited and later reported as being used to breach several Norwegian government organizations.
One month later, hackers started using a third zero-day flaw in Ivanti's Sentry software to bypass API authentication on vulnerable devices in limited and targeted attacks.
Ivanti warns of Connect Secure zero-days exploited in attacks.
Ivanti Connect Secure zero-days exploited to deploy custom malware.
Apache OFBiz RCE flaw exploited to find vulnerable Confluence servers.
Google Chrome emergency update fixes 7th zero-day exploited in 2023.
Recently patched Citrix NetScaler bug exploited as zero-day since August.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 16 Jan 2024 01:10:11 +0000