Several global security agencies have issued warnings regarding the recent exploitation of zero-day vulnerabilities in Ivanti’s Connect Secure and Policy Secure gateways. These agencies, including the US Cybersecurity and Infrastructure Security Agency (CISA) and the US Federal Bureau of Investigation (FBI), as well as counterparts in Australia, the UK, Canada, and New Zealand, have advised organizations to carefully consider the risks associated with continuing to use these devices in enterprise environments.
In response to these revelations, Ivanti has released an enhanced version of its external integrity checking tool (ICT) to provide additional protection for its customers. However, concerns remain regarding the effectiveness of the integrity checking tools provided by Ivanti in detecting compromises. Both internal and external integrity checks were found to be inadequate in some cases, as they failed to identify existing compromises on the devices.
Incident response engagements conducted by CISA revealed that malware authors could potentially evade detection by activating their malware between periodic scans performed by Ivanti’s integrity checking tools. This loophole was exploited by a China-based APT group known as UNC5325, which demonstrated a high level of knowledge and familiarity with the internal workings of Ivanti SSL VPN gateways. In limited attacks, UNC5325 leveraged a combination of living-off-the-land (LotL) techniques and novel malware, such as the web shell BUSHWALK, to persist across system upgrades, patches, and factory resets.
UNC5325’s use of a web shell embedded in a legitimate Ivanti Connect Secure component highlights the group’s sophistication in exploiting vulnerabilities in Ivanti devices. The web shell, named BUSHWALK, is written in Perl and enables remote access to compromised devices. In the latest attacks, UNC5325 utilized a new variant of the web shell and a technique that allowed them to enable or disable it based on specific user-agent strings in requests sent to the shell.
The ongoing threats posed by attackers leveraging zero-day vulnerabilities in Ivanti’s gateways underscore the importance of continuous monitoring and updating of security measures. Organizations are advised to remain vigilant and implement additional safeguards to protect their Ivanti devices from malicious actors seeking to gain unauthorized access and maintain persistence on compromised systems.
In conclusion, the recent warnings issued by security agencies serve as a reminder of the evolving threat landscape faced by enterprises worldwide. The collaboration between multiple nations in addressing these security concerns highlights the need for a united front against cyber threats. It is imperative for organizations to stay proactive in their security practices and take necessary steps to safeguard their digital assets from potential vulnerabilities and exploits.