Chinese hackers exploit zero-day vulnerability in Ivanti Connect Secure and Policy Secure

ReportJanuary 11, 2024Editorial DepartmentCybersecurity/Zero-day

Two zero-day vulnerabilities discovered in Ivanti Connect Secure (ICS) and Policy Secure have been linked by suspected China-linked nation-state actors to compromise fewer than 10 customers.

Cybersecurity company Volexity discovered the online activity of one of its customers in the second week of December 2023 and attributed it to a hacker group it tracked called “Volexity.” UTA0178. There is evidence that VPN devices may have been compromised as early as December 3, 2023.

Two vulnerabilities that have been widely exploited to enable unauthenticated command execution on ICS devices are as follows:

• CVE-2023-46805 (CVSS Rating: 8.2) – An authentication bypass vulnerability exists in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure, which could allow a remote attacker to bypass control checks and access restricted resources.

• CVE-2024-21887 (CVSS Rating: 9.1) – A command injection vulnerability in the Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure web elements could allow an authenticated administrator to send crafted requests and execute arbitrary commands on the device.

These vulnerabilities can be shaped into an exploit chain to take over vulnerable instances across the network.

“If CVE-2024-21887 is combined with CVE-2023-46805, exploitation of this vulnerability does not require authentication and allows a threat actor to craft malicious requests and execute arbitrary commands on the system,” Ivanti said in an advisory. “

The company said it observed threat actors attempting to manipulate Ivanti’s internal integrity checker (ICT), which provides a snapshot of a device’s current state.

The patch is expected to be released in phases starting the week of January 22, 2024. In the meantime, users are advised to apply workarounds to protect against potential threats.

In incidents analyzed by Volexity, the two flaws were allegedly used to “steal configuration data, modify existing files, download remote files, and reverse tunnel from ICS VPN devices.”

The attacker further modified a legitimate CGI file (compcheck.cgi) on the ICS VPN device to allow command execution. Additionally, the JavaScript file loaded by the Web SSL VPN login page has been altered to log keystrokes and reveal credentials associated with the user logging into the device.

“The information and credentials collected by the attackers allowed them to pivot to a small number of systems internally and ultimately to gain unrestricted access to systems on the network,” said Volexity researchers Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair and Thomas Lancaster. explain.

These attacks are also characterized by reconnaissance efforts, lateral movement, and the deployment of a custom web shell called GLASSTOKEN via a backdoor CGI file to maintain persistent remote access to external-facing web servers.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in its own alert that it has added the two flaws to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to before applying these fixes.

“Systems with Internet access, especially critical devices such as VPN devices and firewalls, are once again a favorite target for attackers,” Volexity said.

“These systems are often located in critical parts of the network, unable to run traditional security software, and are often located in prime locations for attackers to operate. Organizations need to ensure they have policies in place to monitor active devices on these systems and respond in the event of the unexpected. Quick response.”