CybserSecurity News

Tag: CVE-2023-46805

  • Mirai Botnet Exploits Ivanti Connect Secure Flaws

    Recent vulnerabilities in Ivanti Connect Secure devices have enabled attackers to deploy the Mirai botnet, according to security researchers from Juniper. These vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, are currently being actively exploited.

    The first vulnerability allows for authentication bypass, while the second enables command injection. Together, they permit attackers to execute arbitrary code and gain control over the compromised systems. In the attack chain observed by Juniper, these vulnerabilities were used to access the endpoint “/api/v1/license/key-status/,” which is susceptible to command injection.

    According to a January study by Assetnote, the malicious software is activated by a request to “/api/v1/totp/user-backup-code/,” where a sequence of commands deletes files, downloads a script from a remote server, assigns execution rights, and launches the script, leading to system infection.

    Security researcher Kashinath Pattan explained that the script is designed to download the Mirai malware from an IP address controlled by the attackers (“192.3.152[.]183”). “The discovery of these vulnerabilities for the delivery of the Mirai botnet highlights the ever-evolving landscape of cyber threats,” noted Pattan.

    He added that in the future, these vulnerabilities are expected to be increasingly used to spread this and other malicious software.

  • MITRE Hacked: State-Sponsored Breach Exploits Zero-Days

    The MITRE Corporation, a non-profit organization, has disclosed that in January 2024, a sophisticated, state-sponsored hacker group infiltrated its systems by chaining together two zero-day exploits in the Ivanti VPN.

    The incident was initially identified following the detection of suspicious activity within MITRE’s NERVE (Networked Experimentation, Research, and Virtualization Environment), a non-classified collaborative network utilized for research and development. Subsequently, MITRE notified affected parties, reported the incident to the relevant authorities, and is currently working on restoring its systems.

    Evidence gathered during the ongoing investigation indicates that the breach did not extend to the core corporate network or to the systems of its partners.

    No organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible,” said Jason Providakes, president and CEO, MITRE. “We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well necessary measures to improve the industry’s current cyber defense posture. The threats and cyber attacks are becoming more sophisticated and require increased vigilance and defense approaches. As we have previously, we will share our learnings from this experience to help others and evolve our own practices.

    In a separate release, Charles Clancy, MITRE’s Chief Technology Officer, and Lex Crumpton, a cybersecurity engineer, explained that the attackers compromised one of MITRE’s VPNs using two previously discovered zero-day vulnerabilities in Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887).

    Furthermore, the attackers were able to circumvent multi-factor authentication by hijacking a session, allowing them to navigate through VMware infrastructure using a compromised administrator account.

    Throughout the attack, the hackers employed a combination of sophisticated web shells and backdoors to maintain access to compromised systems and gather credentials.

    It is important to note that vulnerabilities CVE-2023-46805 and CVE-2024-21887 allow for bypassing authentication and injecting arbitrary commands. As reported by the security firm Mandian in January 2024, these bugs were exploited by hackers to deploy several families of custom malware, with espionage being the primary goal of the attackers.

    MITRE emphasized that the organization had followed government and Ivanti advice in January to “update, replace, and fortify” its Ivanti systems. However, specialists did not observe any lateral movement of hackers within the VMware infrastructure at that time. “We believed we had taken all necessary actions to mitigate the vulnerability, but clearly, these measures were insufficient,” acknowledged the experts.

  • Chinese Hackers Target Ivanti: Critical Vulnerabilities Exposed

    The Cybersecurity and Infrastructure Security Agency (CISA) along with several leading global organizations have issued a new warning about critical vulnerabilities in the products of IT giant Ivanti. According to experts, these issues, identified as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, are widely utilized by governmental structures worldwide.

    A report published by the research firm Mandiant, owned by Google, reveals that multiple Chinese hacker groups, including Volt Typhoon, are actively exploiting these vulnerabilities. Additionally, hackers with financial motives have joined the attacks, a departure from previously reported cyber espionage campaigns.

    Mandiant researchers have been tracking the activities of a group likely associated with the Volt Typhoon since February 2024. This group also intersects with TAG-87 and BRONZE SILHOUETTE, focusing their efforts on the energy and defense sectors in the United States.

    APT41 hacker

    Beyond the Volt Typhoon, four other Chinese bands exploiting these bugs were discovered after Ivanti made them public on January 10, 2024.

    Financially motivated cybercriminals primarily use CVE-2023-46805 and CVE-2024-21887 for operations such as covert cryptocurrency mining. Only one group, known as UNC5221, exploited CVE-2023-46805 and CVE-2024-21887 before their disclosure.

    Mandiant noted no instances where the Volt Typhoon successfully compromised Ivanti Connect Secure solutions. This group’s activity commenced in December 2023 with attacks on Citrix Netscaler ADC before shifting their focus to Ivanti devices.

    Other hackers, upon successful breach, deployed various malicious programs, including the TERRIBLETEA, PHANTOMNET, TONERJAM, SPAWNSNAIL, and SPAWNMOLE families. Often, to penetrate deeper into internal systems, they resorted to tools from Microsoft and VMware.

    Patches for all three vulnerabilities are now available. The Mandiant report was published a day after Ivanti’s CEO promised a series of changes in response to a string of high-profile incidents affecting governmental organizations worldwide.

  • Thousands of Vulnerabilities Found in Pulse Secure

    A recent investigation into the firmware of Pulse Secure devices by Ivanti has illuminated profound security vulnerabilities within software supply chains. Specialists at Eclypsium uncovered numerous vulnerabilities, showcasing the complexity of safeguarding such software systems.

    During their analysis, researchers employed reverse engineering to examine the firmware version 9.1.18.2-24467.1 utilized in Pulse Secure hardware. They discovered that the foundation for the devices is the CentOS 6.4 operating system, based on Linux, which was released 11 years ago and has not received security updates for over three years.

    This issue has garnered increased attention due to a recent surge in attacks on Ivanti products, including Connect Secure, Policy Secure, and ZTA gateways. Malefactors exploit these vulnerabilities to disseminate malware, compromising user data and security.

    Among the vulnerabilities actively exploited were identified as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. Additionally, Ivanti disclosed information about a new vulnerability, CVE-2024-22024, which facilitates unauthorized access to protected resources.

    The Eclypsium report highlights the use of outdated components in the Pulse Secure device firmware, including a version of Perl that hasn’t been updated in 23 years, and a version of the Linux kernel whose support ended in 2016. Such findings underscore the risks associated with using obsolete software.

    Further analysis by the researchers revealed over 1200 issues in shell scripts and more than 5000 vulnerabilities in Python files, indicating deep-seated security problems in the firmware. Moreover, 133 obsolete certificates were found, further exacerbating the situation.

    Particular attention was given to the shortcomings of the integrity-checking tool recommended by Ivanti. This tool skips scanning key directories, theoretically allowing malefactors to bypass detection, creating a “false sense of security.”

    Based on these findings, Eclypsium demonstrated a theoretical attack in which a malefactor could exploit the flaws of the integrity checking tool to covertly place malware.

    Eclypsium experts concluded that software and hardware suppliers must establish an open and transparent system of development and support for their products, allowing third-party organizations to independently assess their integrity and security.

    “The more open this process is, the better job we can do to validate the digital supply chain, namely the hardware, firmware, and software components used in their products,” the specialists concluded.

  • Patch Now: Ivanti Fixes Critical Vulns, New Zero-Day Emerges

    Ivanti has released a suite of patches for vulnerabilities in its Connect Secure (ICS) and Policy Secure (IPS) gateways. Concurrently, the company has identified two new zero-day vulnerabilities, one of which is being actively exploited.

    This announcement comes in the wake of Ivanti’s disclosure about the delay in releasing the initial batch of patches, which were expected last week. The patches are now available for versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, and the ZTA version 22.6R1.3.

    Administrators are advised to reset their devices to factory settings before installing the patch to mitigate the risk of attacks during the update process, which could take up to four hours.

    The vulnerabilities, identified as CVE-2023-46805 (CVSS: 8.2) and CVE-2024-21887 (CVSS: 9.1) and disclosed in mid-January, allow unauthorized attackers to remotely execute code.

    Kansas State University cyberattack

    Initially, ten victims were reported, but the number of affected parties has since rapidly increased. The patches, intended for release as soon as possible, were ultimately made available on January 31.

    In light of these threats, the United States Cybersecurity and Infrastructure Security Agency (CISA) has stated that some attackers have managed to circumvent Ivanti’s protective measures. The agency warned that adversaries continue to exploit vulnerabilities in Ivanti Connect Secure and Policy Secure gateways to steal credentials or deploy web shells, enabling further compromise of corporate networks.

    The new zero-day vulnerabilities tracked as CVE-2024-21888 (CVSS: 8.8) and CVE-2024-21893 (CVSS: 8.2), affect all supported versions of ICS, IPS, and ZTA gateways. The former allows an attacker to elevate their privileges to an administrative level, while the latter is a server-side request vulnerability.

    Despite their recent discovery, patches for these new zero-day vulnerabilities are already available for download. Ivanti strongly urges its clients to promptly apply all the latest patches to safeguard their systems.

  • CISA’s Urgent Call: Mitigate Ivanti Zero-Day Threats Now

    The Cybersecurity and Infrastructure Security Agency (CISA) of the United States has urgently issued a directive, urging Federal Civilian Executive Branch (FCEB) agencies to mitigate the effects of two actively exploited zero-day vulnerabilities in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS).

    The warning comes in light of two vulnerabilities—an authentication bypass (CVE-2023-46805, CVSS score: 8.2) and a code injection flaw (CVE-2024-21887, CVSS score: 9.1)—being widely exploited by various malefactors. These flaws allow an attacker to craft malicious requests and execute arbitrary commands within the system.

    Kansas State University cyberattack

    Ivanti acknowledgedobserved a sharp increase in threat actor activity starting on January 11,” following the public disclosure of these vulnerabilities. Successful exploitation enables a cybercriminal to perform lateral movement, data theft, and maintain persistent access to the system, leading to the complete compromise of targeted information systems.

    Ivanti, expected to release an update to rectify these vulnerabilities next week, has provided a temporary workaround through an XML file that can be imported into the affected products to make the necessary configuration changes.

    CISA encourages organizations using ICS to apply protective measures and run an external integrity verification tool to detect signs of compromise, and in the event of detection, disconnect them from networks and reboot the device, followed by importing the XML file.

    Furthermore, FCEB organizations are strongly advised to revoke and reissue any stored certificates, reset the administrator password, preserve API keys, and reset the passwords of any local user defined on the gateway.

    Cybersecurity firms Volexity and Mandiant have observed attacks exploiting these vulnerabilities to deploy web shells and backdoors for persistent access to infected devices. It is estimated that to date, approximately 2,100 devices worldwide have been compromised.

    The initial wave of attacks was recorded in December 2023. Since then, numerous new groups, in addition to the suspected Chinese state hackers (UTA0178 or UNC5221), have joined in the active exploitation of these vulnerabilities.

  • Global Security Alert: Over 1,700 VPN Devices Hacked with GIFFEDVISITOR Web Shell

    Earlier this month, we discussed the zero-day vulnerabilities in Ivanti products. A recent analysis by Mandiant revealed that attackers employed five distinct malware families in their assaults, including Zipline, Thinspool Dropper, Wirefire, Lightwire, and Warpwire Harvester.

    According to the latest findings from Volexity experts, over 1,700 compromised Connect Secure VPN devices were detected on January 14th of this year, infected with the GIFFEDVISITOR web shell. The list of victims encompasses state and private entities worldwide, including military institutions, national telecommunications companies, defense contractors, technology firms, banks, financial and accounting organizations, global consulting companies, and firms within the aerospace, aviation, and engineering sectors.

    The Shadowserver threat monitoring service tracks more than 16,800 Connect Secure VPN devices accessible from the internet globally. The majority of these devices, approximately 5,000, are located in the USA, underscoring the undeniably global nature of this threat.

    It has been confirmed that attackers can execute arbitrary commands on all supported versions of VPN Connect Secure and Policy Secure devices, effectively combining two previously identified vulnerabilities, CVE-2023-46805 and CVE-2024-21887. Meanwhile, in addition to the previously suspected Chinese state-sponsored hackers (UTA0178 or UNC5221), numerous new groups have joined in the active exploitation of these vulnerabilities.

    Ivanti has yet to release the necessary fixes, suggesting that the problem may be more profound than initially perceived. Administrators are strongly advised to implement mitigation measures provided by the company for all VPN devices in the network and to use the Ivanti Integrity Checker tool to detect signs of hacking.

    In July last year, two other Ivanti zero-day vulnerabilities (CVE-2023-35078 and CVE-2023-35081) were exploited to breach several Norwegian government organizations, and a month later, hackers began exploiting a third vulnerability (CVE-2023-38035) in Ivanti Sentry software to circumvent API authentication.

  • Mandiant Uncovers “UNC5221”: Stealthy Hackers Bypass VPN Defenses with Malware Arsenal

    At least five different types of malware have been employed by suspected state-sponsored hackers to gain access to company networks through Zero-Day vulnerabilities in Ivanti Connect Secure (ICS) VPN devices. These attacks have been occurring since the beginning of December 2023.

    According to Mandiant, the group UNC5221 used these malware programs to bypass authentication systems and covertly access devices. To exploit vulnerable devices, hackers utilized an exploit chain that included an authentication bypass vulnerability (CVE-2023-46805) and a code injection vulnerability (CVE-2024-21887), discovered in Ivanti Connect Secure and Policy Secure products.

    UNC5221

    Volexity, attributing this activity to the Chinese espionage group UTA0178, previously explained that the vulnerabilities allow for initial access, web shell installation, backdoor embedding in legitimate files, credential and configuration file gathering, and deeper penetration into victims’ internal networks.

    Ivanti stated that less than ten clients were affected by the attack, suggesting the campaign’s targeted nature. Patches for the two vulnerabilities (informally named ConnectAround by security researcher Kevin Beaumont) are expected to be released next week.

    Mandiant’s analysis revealed that the attackers used five different malware programs. They also embedded malicious code into legitimate ICS system files and employed tools such as BusyBox (a suite of UNIX command-line utilities) and PySoxy (a SOCKS5 proxy server).

    Experts note that due to the peculiarities of the file systems of some devices, hackers utilized a Perl script to modify access rights and deploy malware. The primary tools for maintaining access to compromised systems were the web shells LIGHTWIRE and WIREFIRE. Additionally, the JavaScript-based malware WARPWIRE was used for credential gathering, and the ZIPLINE backdoor, capable of uploading/downloading files, establishing Reverse Shell, creating proxy servers, and setting up network tunneling to distribute traffic among multiple endpoints.

    While UNC5221 is not yet linked to any known groups, the group’s methods indicate an advanced persistent threat. The use of Zero-Day vulnerabilities and covert infrastructure is characteristic of state-sponsored hackers. UNC5221’s activity demonstrates that network perimeter attacks remain an attractive target for espionage groups.