Read more on Ivanti vulnerabilities:
- Two Ivanti Zero-Days Actively Exploited in the Wild
- Ivanti Zero-Days Exploited By Multiple Actors Globally
- Rust Payloads Exploiting Ivanti Zero-Days Linked to Sophisticated Sliver
- Ivanti Releases Zero-Day Patches and Reveals Two New Bugs
- Latest Ivanti Zero Day Exploited By Scores of IPs
- New Ivanti Vulnerability Observed as Widespread Security Concerns Grow
Eight government agencies from the Five Eyes countries (Australia, Canada, New Zealand, the UK, and the US) issued an urgent warning on February 29 about the active exploitation of Ivanti product vulnerabilities.
Specifically, the joint advisory assessed that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways.
The vulnerabilities identified as actively exploited by threat actors are the following:
These vulnerabilities impact all supported versions (9.x and 22.x) of Ivanti gateways.
Their severity ratings range from high to critical. They can be used in a chain of exploits to enable malicious cyber threat actors to bypass authentication, craft malicious requests and execute arbitrary commands with elevated privileges.
These are three of five vulnerabilities discovered in Ivanti’s product since January 2024.
Ivanti Compromise Detection Tools Fail
In their joint advisory, the Five Eyes agencies also note that cyber threat actors can deceive Ivanti’s internal and external Integrity Checker Tool (ICT), resulting in a failure to detect compromise.
“During multiple incident response engagements associated with this activity, CISA identified that Ivanti’s internal and previous external ICT failed to detect compromise.
“In addition, CISA has conducted independent research in a lab environment validating that the Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets,” reads the advisory.
You should listen to CISA
— Will Dormann (@wdormann) February 29, 2024
Neither the Ivanti Connect Secure (or Policy Secure Gateway) Integrity Checker Tool (ICT) nor Factory Reset capabilities can be trusted in cases where you think the device might be compromised.
Please think about this for a bit...https://t.co/ml3xwky2Vo pic.twitter.com/YyXZBWfOUq
Reacting to the advisory, an Ivanti spokesperson assured Infosecurity that CISA’s lab-based persistence technique has not been observed in the wild to date, and that the firm does not believe it will succeed in a live customer environment.
"Based on current analysis, we believe that outside of a lab environment, this action would break the connection with the box, and thus would not gain persistence in a live customer environment. Customers that patched and executed a successful factory reset (hardware) or deployed a new build (virtual) would not be at risk from the activity outlined in CISA’s report," added the spokesperson.
Five Eyes’ Mitigation Recommendations
The agencies provided a set of actions for all users of Ivanti gateways to take:
- Assume that user and service account credentials stored within the affected Ivanti VPN appliances are likely compromised
- Hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory
- Run Ivanti’s most recent external ICT
- Apply available patching guidance provided by Ivanti as version updates become available
- If a potential compromise is detected, collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory
“The authoring organizations strongly urge all organizations to consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment,” the document insisted.
Speaking to Infosecurity, an Ivanti spokesperson commented: "We welcome findings from our security and government partners that enable our customers to protect themselves in the face of this evolving and highly sophisticated threat. To be clear, 29 February advisory does not contain information on a new vulnerability, and Ivanti and our partners are not aware of any instances of successful threat actor persistence following implementation of the security updates and factory resets recommended by Ivanti."
The spokesperson added that Mandiant, CISA and the other agencies who signed the joint advisory "continue to recommend that defenders apply available patching guidance provided by Ivanti if they haven’t done so already, and run Ivanti’s updated Integrity Checker Tool (ICT), released on 27 February, to help detect known attack vectors, alongside continuous monitoring."
The joint advisory was issued by the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), the UK National Cyber Security Centre (NCSC-UK), the Canadian Centre for Cyber Security (Cyber Centre), the Australian Cyber Security Centre (ACSC), the New Zealand National Cyber Security Centre (NCSC-NZ), the CERT-New Zealand (CERT NZ) and the Multi-State Information Sharing & Analysis Center (MS-ISAC).
These agencies received the support of Volexity, Ivanti, Mandiant and other industry partners.
This article was updated to include comments from Ivanti.