Dive Brief:

• The FBI, Cybersecurity and Infrastructure Security Agency and Five Eyes intelligence partners warn that critical vulnerabilities in Ivanti Connect Secure and Policy Secure are still facing active exploitation, according to an advisory released Thursday. The global alert comes weeks after Ivanti released a security patch and related mitigation guidance.  
• Threat actors may be able to gain root-level persistence, even if a user does factory resets on a device, officials said. The partner agencies include cybersecurity authorities from the U.K., Canada, Australia and New Zealand as well as MS-ISAC. 
• Threat actors have also figured out a way to bypass the Ivanti Integrity Checker Tool, making it unable to detect intrusions in certain cases.

Dive Insight:

Threat actors have been exploiting critical zero-day vulnerabilities in Ivanti Connect Secure and other products since early December. The advisory specifically flags an authentication bypass vulnerability, CVE-2023-46805, a command injection vulnerability, CVE-2024-21887, and a server-side request forgery vulnerability, CVE-2024-21893.

The suspected state-linked espionage actors have exploited the vulnerabilities, bypassed authentication methods, gained persistent access and engaged in malicious activities, including the installation of webshells. 

Threat actors have used living-off-the-land techniques and novel malware to establish persistence, Mandiant said earlier this week. The hackers attempted to mask their activity, even after customers initiated factory resets, patching and system upgrades.

“Since initial disclosure of these vulnerabilities, CISA and our partners have worked urgently to provide actionable guidance and assist impacted victims,” Eric Goldstein, assistant executive director for cybersecurity at CISA, said in a statement related to the advisory. 

Ivanti welcomed the findings from CISA and other authorities, but noted it was not aware of any threat actor gaining persistence after customers implemented factory resets and recommended security updates, the company said in a statement. Ivanti emphasized that CISA’s findings were based on tests in a laboratory setting, which it argued would not be replicated in a normal setting.

“Based on current analysis, we believe that outside of a lab environment, this action would break the connection with the box, and thus would not gain persistence in a live customer environment,” Ivanti said in the statement.

However, Geoff Mattson, CEO of Xage Security, said the finding speaks to inherent weaknesses in key security products that are widely used across key industries. 

"This is the canary in the coal mine,” Mattson said via email. “Legacy security products, in particular VPNs, are not modern software – far from it. 

“Vulnerability researchers have shown that Ivanti VPN has modules that have a collection of open source software executables that have not been updated in over 20 years – which is prehistoric in the software world, not to mention inherently vulnerable to attack,” Mattson said.