Thousands of Ivanti VPN instances have been compromised across the globe in the last five days thanks to two serious, as yet unpatched zero-day vulnerabilities disclosed last week.
Ivanti Connect Secure VPN is a virtual private network tool that remotely connects mobile devices with corporate network resources, making it an attractive target for hackers looking to gain initial hooks into corporate IT environments.
ICS VPN takeovers have been shooting up worldwide, ever since the two new bugs were disclosed on Jan. 10.
To make matters worse: There won't be patches available for at least a few more days.
Thousands of Exploits in Ivanti VPNs Each of the two ICS VPN bugs is powerful on its own, but they prove most effective in tandem.
First, CVE-2023-46805 - a high-severity 8.2 CVSS-scored vulnerability - allows attackers to bypass authentication checks.
Rated a critical 9.1 out of 10, allows the unfairly authenticated user to send specially crafted requests and run arbitrary commands on the tricked device.
UTA0178, a group Volexity believes works for the Chinese state, appears to have leveraged the two bugs as zero-days, in attacks dating back to early December.
The threat landscape changed once Ivanti and Volexity broke news of the bug last week.
In the days that followed, thousands of new infections spread across the globe, with a Jan. 15 scan of 30,000 devices identifying at least 1,700 tainted VPNs. The majority of these could be attributed to UTA0178, which seems to have used the news as impetus to act before most organizations had time to harden themselves.
There appear to be attempted exploitations by other threat actors as well.
Victims thus far have run the gamut: from small organizations to Fortune 500 companies, across the military and government, telecommunications and finance, and more.
Most infections are concentrated in the United States, but they also span every other continent: Guyana to Germany, Egypt, Thailand, Australia, and so on.
What to Do if You're Affected As yet there's no available patch for either ICS VPN vulnerability, and Ivanti is expected to be working on those for a while longer: Jan. 22 for CVE-2023-46805's, and Feb. 19 to fix CVE-2024-21887.
In the meantime, there are two things customers can do.
On the day of the disclosure, Ivanti released a mitigation for blocking potential exploitations.
It's not a patch - it doesn't solve the underlying vulnerabilities - but it is designed to catch and root out potential attempts to exploit them.
Of course, such a preventative measure doesn't account for the thousands of existing compromises.
For those - and, really, any devices that haven't been fully examined yet - Ivanti VPN has a built-in Integrity Checker Tool that can detect compromises of the kind carried out by UTA0178.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 16 Jan 2024 21:35:16 +0000