Ivanti warned admins to stop pushing new device configurations to appliances after applying mitigations because this will leave them vulnerable to ongoing attacks exploiting two zero-day vulnerabilities.
While the company didn't provide additional details, it said that this is caused by a known race condition when pushing configurations that causes a web service to stop and the applied mitigation to stop working.
Ivanti company has yet to share if re-applying the mitigations XML also causes the mitigations to stop working, although this seems likely given that the race condition occurs each time new configurations are pushed to an appliance.
The warning comes after CISA issued 2024's first emergency directive ordering U.S. agencies to immediately apply mitigations for two Ivanti Connect Secure and Policy Secure zero-day flaws exploited in widespread attacks by multiple threat actors.
Ivanti ICS and IPS appliances have been targeted in large-scale attacks chaining the CVE-2023-46805 authentication bypass and the CVE-2024-21887 command injection bugs since at least December.
When chained, the two zero-days allow attackers to move laterally within compromised networks, collect and exfiltrate data, and establish persistent system access to breached devices by deploying backdoors.
While the company has yet to release security patches, it has released mitigation measures that should block attack attempts and recovery instructions designed to help admins restore impacted appliances and bring them back into service.
Threat monitoring platform Shadowserver currently tracks over 21,400 Internet-exposed ICS VPN appliances, over 6,300 in the United States.
Shadowserver also monitors how many Ivanti Connect Secure VPN instances are being compromised worldwide daily, with over 700 compromised appliances discovered on January 21 alone.
Threat intelligence company Volexity said that one of the attackers actively exploiting the two zero-days-a suspected Chinese state-backed threat group tracked as UTA0178, also monitored by Mandiant as UNC5221-has already backdoored more than 2,100 Ivanti appliances using a GIFTEDVISITOR webshell variant.
Attackers have also deployed XMRig cryptocurrency miners and Rust-based malware payloads on compromised devices, according to Volexity and GreyNoise.
Mandiant also found five custom malware strains deployed on breached customers' systems to steal credentials, drop additional malicious payloads, and deploy webshells.
Attackers have been harvesting and stealing account and session data from the compromised networks of many victims, including government and military entities worldwide, national telecom companies, defense contractors, technology companies, banking, finance, and accounting organizations, and aerospace, aviation, and engineering firms.
They also vary significantly in size, from small businesses to some of the largest organizations worldwide, including multiple Fortune 500 companies across a wide range of industry sectors.
Ivanti Connect Secure zero-days now under mass exploitation.
Ivanti warns of Connect Secure zero-days exploited in attacks.
CISA emergency directive: Mitigate Ivanti zero-days immediately.
CISA: Critical Ivanti auth bypass bug now actively exploited.
Ivanti Connect Secure zero-days exploited to deploy custom malware.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 22 Jan 2024 18:25:23 +0000