Learn more about Ivanti vulnerabilities:
Eight government agencies from the Five Eyes countries (Australia, Canada, New Zealand, the United Kingdom and the United States) issued an urgent warning on February 29 regarding the active exploitation of vulnerabilities in Ivanti products.
Specifically, the joint advisory assessed that cyberthreat actors are exploiting previously identified vulnerabilities in the Ivanti Connect Secure and Ivanti Policy Secure gateways.
Vulnerabilities identified as actively exploited by malicious actors include:
These vulnerabilities affect all supported versions (9.x and 22.x) of Ivanti Gateways.
Their severity levels range from high to critical. They can be used in a chain of exploits to allow malicious cybercriminals to bypass authentication, create malicious requests, and execute arbitrary commands with elevated privileges.
These are three of five vulnerabilities discovered in the Ivanti product since January 2024.
Ivanti Compromise Detection Tools Fail
In their joint adviceThe Five Eyes agencies also note that cyberthreat actors can fool Ivanti’s internal and external Integrity Check Tool (ICT), resulting in the inability to detect a compromise.
“During multiple incident response engagements associated with this activity, CISA identified that Ivanti’s previous internal and external ICTs had failed to detect a compromise.
“Additionally, CISA has conducted independent research in a laboratory environment confirming that Ivanti ICT is not sufficient to detect compromises and that a cyber threat actor may be able to achieve persistence at the root level despite the reset factory settings,” the notice states.
You should listen to CISA
Neither the Ivanti Connect Secure Integrity Check Tool (ICT) (or Policy Secure Gateway) nor the factory reset features can be relied upon in cases where you suspect the device may be compromised.
Please think about this a little…https://t.co/ml3xwky2Vo pic.twitter.com/YyXZBWfOUq– Will Dormann (@wdormann) February 29, 2024
In response to the notice, an Ivanti spokesperson assured Information security that CISA’s laboratory persistence technique has not yet been observed in the wild and that the company does not believe it will be successful in a real-world customer environment.
“Based on current analysis, we believe that outside of a lab environment, this action would break the connection with the enclosure and therefore would not gain persistence in a real-world customer environment. Customers who have patched and successfully executed a factory reset (hardware) or deployed a new release (virtual) would not be at risk from the activity described in the CISA report,” the spokesperson added.
Five Eyes Mitigation Recommendations
The agencies have proposed a set of actions that all Ivanti gateway users can take:
- Assume that user and service account credentials stored in affected Ivanti VPN appliances are likely compromised.
- Scan their networks for malicious activity using the detection methods and indicators of compromise (IOCs) contained in this advisory.
- Run Ivanti’s latest external ICT
- Apply available patching guidance provided by Ivanti as version updates become available
- If a potential compromise is detected, collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations contained in this advisory.
“The author organizations strongly urge all organizations to “Consider the significant risk of adversary access and persistence to Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue using these devices in an enterprise environment,” the document urges.
Talk to Information securityan Ivanti spokesperson commented: “We appreciate the findings from our security and government partners that enable our customers to protect themselves against this evolving and highly sophisticated threat. To be clear, the February 29 advisory does not contain information about a new vulnerability, and Ivanti and our partners are not aware of any instances of successful persistence of malicious actors after implementing updates security and factory resets recommended by Ivanti.
The spokesperson added that Mandiant, CISA and the other agencies that signed the joint advisory “continue to recommend that advocates implement the available update guidance provided by Ivanti if they have not already done so.” , and run Ivanti’s updated Integrity Check Tool (ICT). released February 27to help detect known attack vectors, alongside continuous monitoring.
The joint advisory was issued by the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), the UK National Cyber Security Center (NCSC-UK), the Canadian Center for Cyber Security (Cyber Centre), the Australian Cyber Security Center (ACSC). ), the New Zealand National Cyber Security Center (NCSC-NZ), CERT-New Zealand (CERT NZ) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
These agencies have received support from Volexity, Ivanti, Mandiant and other industry partners.
This article has been updated to include comments from Ivanti.