HomeCyber BalkansCaution from abroad: Threat actors may obtain lasting access to Ivanti VPN...

Caution from abroad: Threat actors may obtain lasting access to Ivanti VPN appliances

Published on

spot_img

Several global security agencies have issued warnings regarding the recent exploitation of zero-day vulnerabilities in Ivanti’s Connect Secure and Policy Secure gateways. These agencies, including the US Cybersecurity and Infrastructure Security Agency (CISA) and the US Federal Bureau of Investigation (FBI), as well as counterparts in Australia, the UK, Canada, and New Zealand, have advised organizations to carefully consider the risks associated with continuing to use these devices in enterprise environments.

In response to these revelations, Ivanti has released an enhanced version of its external integrity checking tool (ICT) to provide additional protection for its customers. However, concerns remain regarding the effectiveness of the integrity checking tools provided by Ivanti in detecting compromises. Both internal and external integrity checks were found to be inadequate in some cases, as they failed to identify existing compromises on the devices.

Incident response engagements conducted by CISA revealed that malware authors could potentially evade detection by activating their malware between periodic scans performed by Ivanti’s integrity checking tools. This loophole was exploited by a China-based APT group known as UNC5325, which demonstrated a high level of knowledge and familiarity with the internal workings of Ivanti SSL VPN gateways. In limited attacks, UNC5325 leveraged a combination of living-off-the-land (LotL) techniques and novel malware, such as the web shell BUSHWALK, to persist across system upgrades, patches, and factory resets.

UNC5325’s use of a web shell embedded in a legitimate Ivanti Connect Secure component highlights the group’s sophistication in exploiting vulnerabilities in Ivanti devices. The web shell, named BUSHWALK, is written in Perl and enables remote access to compromised devices. In the latest attacks, UNC5325 utilized a new variant of the web shell and a technique that allowed them to enable or disable it based on specific user-agent strings in requests sent to the shell.

The ongoing threats posed by attackers leveraging zero-day vulnerabilities in Ivanti’s gateways underscore the importance of continuous monitoring and updating of security measures. Organizations are advised to remain vigilant and implement additional safeguards to protect their Ivanti devices from malicious actors seeking to gain unauthorized access and maintain persistence on compromised systems.

In conclusion, the recent warnings issued by security agencies serve as a reminder of the evolving threat landscape faced by enterprises worldwide. The collaboration between multiple nations in addressing these security concerns highlights the need for a united front against cyber threats. It is imperative for organizations to stay proactive in their security practices and take necessary steps to safeguard their digital assets from potential vulnerabilities and exploits.

Source link

Latest articles

Hackers Combine Stolen Wallet Databases with Keychain Passwords for Offline Crypto Theft

Rising Threat: macOS Malware Combines Stolen Data for Cryptocurrency Theft In a notable development in...

US Launches Gold Eagle to Enhance AI-Driven Vulnerability Management

The U.S. government is intensifying its efforts to address the escalating vulnerabilities in cybersecurity...

AI Leaders Gaining an Edge in Quantum Readiness

Agentic AI, Artificial Intelligence & Machine Learning, ...

Flaw Surge Drives CISOs to Reevaluate Vulnerability Management

In the complex landscape of cybersecurity, the debate over effective vulnerability management continues to...

More like this

Hackers Combine Stolen Wallet Databases with Keychain Passwords for Offline Crypto Theft

Rising Threat: macOS Malware Combines Stolen Data for Cryptocurrency Theft In a notable development in...

US Launches Gold Eagle to Enhance AI-Driven Vulnerability Management

The U.S. government is intensifying its efforts to address the escalating vulnerabilities in cybersecurity...

AI Leaders Gaining an Edge in Quantum Readiness

Agentic AI, Artificial Intelligence & Machine Learning, ...