Dive Brief:

• Ivanti Connect Secure and Ivanti Policy Secure Gateways are facing renewed exploitation, days after the company release a patch for two zero-days vulnerabilities that were under active exploitation. Ivanti disclosed two new vulnerabilities when it released the patch, which addresses all known issues.  
• “At this point exploitation is widespread with every exposed Ivanti Connect Secure VPN instance hit,” Piotr Kijewski, CEO of the Shadowserver Foundation, said via email. Specific details on the attackers were not immediately known, but the attacks include reverse shell setup attempts and config dumping.
• The Cybersecurity and Infrastructure Security Agency last week issued a supplemental directive ordering Federal Civilian Executive Branch agencies running the affected Ivanti products to disconnect them from agency systems by the end of Feb. 2.

Dive Insight:

A suspected China-nexus threat actor has exploited two chained vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure dating back to early December. The vulnerabilities, listed as CVE-2023-46805 and CVE-2024-21887, led to the installation of malicious webshells on thousands of devices. 

Exploitation attempts began to escalate in mid-January, after initial disclosure of the vulnerabilities, and additional financially motivated threat actors leveraged the vulnerabilities. Threat actors were also able to find workarounds to bypass temporary mitigation efforts and manipulate the company’s integrity checker tool, making them more difficult to find.

More than 2,100 devices were compromised by Jan. 19 and thousands more were exposed to active exploitation for weeks. Security researchers observed continued threat activity after the initial patches were released Jan. 31.

Ivanti last week disclosed new vulnerabilities, including CVE-2024-21888, which allows privilege escalation, and CVE-2024-21893, a server side request forgery in the SAML component.

Security researchers have observed increased activity leading up to the patch and new activity since. Volexity researchers report seeing new backdoors dropped in recent days. 

“The best bet for organizations at this point is to follow the factory reset process, do a fresh install and fully patch,” Steven Adair, founder and president of Volexity, said via email. 

Ivanti last week warned of a likely surge in exploitation, but says the current activity is mostly scanning. 

“At the time of disclosure of CVE-2024-21893, we noted in the KB that we anticipated the threat actor to change their behavior and that there would be a sharp increase in exploitation once the information was public – fortunately, this has not been the case,” the company said Tuesday via email. “What we have seen is large numbers of security researchers scanning for the vulnerabilities as part of their work researching them.”

The company said it is actively working with customers to help them apply patches and mitigate, adding that many have already completed the updates.

CVE-2024-21893 is actually an n-day vulnerability in the xmltooling library, Stephen Fewer, principal security researcher at Rapid7, said Friday in a post on X, the site formerly known as Twitter. It was patched in June 2023 and assigned CVE-2023-36661. 

The server-side request forgery vulnerability can be chained together with CVE-2024-21887 for unauthenticated command injection, Fewer said.

Palo Alto Networks’ Unit 42 observed more than 28,000 exposed instances of Ivanti Connect Secure and Ivanti Policy Secure from Jan. 26-30 in 145 countries.

Ivanti, which has been working with Mandiant on mitigation efforts, is expected to release additional security updates in the next several weeks.