The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on Friday urging Federal Civilian Executive Branch (FCEB) agencies to target two actively exploited zero-days in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS). Vulnerability implementation mitigation products.
This development follows the widespread exploitation of authentication bypass (CVE-2023-46805) and code injection error (CVE-2024-21887) vulnerabilities by multiple threat actors. These flaws allow a malicious actor to craft malicious requests and execute arbitrary commands on the system.
The US company acknowledged in an advisory report that there had been a “sharp increase in threat actor activity” since the flaw was publicly disclosed on January 11, 2024.
“Successful exploitation of vulnerabilities in these affected products could allow malicious threat actors to move laterally, perform data exfiltration, and establish persistent system access, resulting in complete compromise of the target information system,” the agency said.
Ivanti expects to release an update next week to address the flaws and has provided a workaround via an XML file that can be imported into affected products to make the necessary configuration changes.
CISA urges organizations running ICS to apply mitigations and run external integrity checking tools to identify signs of compromise and, if found, disconnect them from the network and reset the device before importing the XML file.
Additionally, FCEB entities are urged to revoke and reissue any stored credentials, reset administrator enablement passwords, store API keys, and reset the passwords of any local users defined on the gateway.
Cybersecurity companies Volexity and Mandiant observed attacks exploiting these two flaws to deploy web shells and passive backdoors to gain persistent access to infected devices. To date, an estimated 2,100 devices worldwide have been compromised.
The first wave of attacks identified in December 2023 was initiated by a Chinese nation-state group tracked as UTA0178. Mandiant is closely monitoring a campaign known as UNC5221, although it has not yet been linked to any specific organization or country.
Threat intelligence firm GreyNoise said it had also observed the vulnerabilities being abused to remove persistent backdoors and XMRig cryptocurrency miners, suggesting bad actors would take advantage of these vulnerabilities for financial gain.
