Dive Brief:

• Ivanti released a long-awaited security patch for two vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure VPNs that have been exploited by a suspected nation-state threat actor since early December. 
• The exploitation led to thousands of Ivanti devices being compromised and led the Cybersecurity and Infrastructure Security Agency to issue an emergency directive for Federal Civilian Executive Branch Agencies to take immediate action. 
• “We included a fix for these vulnerabilities and previously identified vulnerabilities in the patch released today, and patches planned for release for additional versions will also include a comprehensive fix,” Ivanti said in an emailed statement.

Dive Insight:

The two original zero-days, listed as CVE-2023-46805 and CVE-2024-21887, have been under exploit for weeks after a suspected China-nexus threat actor chained together the vulnerabilities and compromised thousands of devices with a malicious webshell, according to researchers from Mandiant and Volexity. 

Ivanti, working with Mandiant, identified additional threat activity designed to interfere with remediation efforts. Volexity researchers found the threat actor modifying the Integrity Checker Tool. 

CISA on Tuesday warned that several threat actors were able to find workarounds in order to hide their movement from network defenders. Mandiant said the additional threat actors are financially motivated.

Mandiant said the post mitigation threat activity involved a custom webshell called Bushwalk, which allowed the threat actor to read or write files to a server.

During the investigation with Mandiant, two additional vulnerabilities were identified, a privilege escalation vulnerability listed as CVE-2024-21888 and a server side forgery request vulnerability, listed as CVE-2024-21893.

A small number of customers have been impacted by active exploits of CVE-2024-21893, according to Ivanti, however the company has no evidence of customers being impacted by CVE-2024-21888.