Two zero-day vulnerabilities have been discovered in Ivanti Secure VPN, a popular VPN solution used by organizations worldwide.
The vulnerabilities are currently being exploited in the wild by at least one Chinese nation-state threat actor dubbed UTA0178.
The chaining of the two vulnerabilities allow any attacker to execute remote code without any authentication and compromise affected systems.
Ivanti published an official security advisory and knowledge base article about two zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, affecting all supported versions of Ivanti Connect Secure and Ivanti Policy Secure Gateways.
When combined, these two vulnerabilities allow an attacker to run commands on affected appliances.
Patrice Auffret, founder, chief executive officer and chief technology officer at ONYPHE, a French cyber defense search engine dedicated to attack surface discovery and attack surface management, told TechRepublic in an email interview earlier today that 29,664 Ivanti Secure VPN appliances are connected to the internet, with more than 40% of the exposed systems being in the U.S., followed by Japan and Germany.
U.S.-based cybersecurity company Volexity discovered both vulnerabilities during an incident response investigation across multiple systems.
The incident response revealed that a threat actor modified several files placed on the Ivanti Connect Secure VPN appliance.
The threat actor, dubbed UTA0178 by Volexity, deployed webshells and modified files to allow credential theft before moving from system to system using the compromised credentials.
The threat actor kept collecting newly harvested credentials on every system they hit, and was observed dumping a full image of the Active Directory database.
Finally, the attacker modified the JavaScript loaded by the web login page for the VPN appliance to capture any credential provided to it.
Once in possession of credentials, the threat actor explored the network, looking at user files and configuration files, and deployed more webshells on the network, including a custom webshell dubbed GLASSTOKEN. Custom GLASSTOKEN webshell.
While the threat actor made use of several public and known tools, GLASSTOKEN was deployed in two slightly different versions.
According to Volexity's observations, the threat actor used it mostly to execute PowerShell commands.
Careful analysis of the outbound traffic from the VPN appliance can detect suspicious activity.
Activity on the inbound network traffic from IP addresses associated with the VPN appliance should also be checked carefully.
Requests for files in atypical paths in the logs should also be concerning and analyzed, as threat actors might store or manipulate files out of the usual folders.
Ivanti provides an external version of the Integrity Checker tool, which should be used in case the system is suspected of being compromised.
Ivanti provides a mitigation method until a full patch will be available.
Depending on the configuration, system degradation might result from this operation, as listed on the dedicated Ivanti page.
This Cyber News was published on www.techrepublic.com. Publication date: Fri, 12 Jan 2024 22:43:04 +0000