Hackers have been actively exploiting vulnerabilities in Ivanti VPN, a popular tool used to secure sensitive data and communications. The Cybersecurity and Infrastructure Security Agency (CISA), along with several partner organizations, recently issued a warning regarding the exploitation of multiple vulnerabilities in Ivanti VPN. These vulnerabilities, identified as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, allow threat actors to bypass authentication, execute commands, and evade detection on Ivanti gateways.
The Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), United Kingdom National Cyber Security Centre (NCSC-UK), Canadian Centre for Cyber Security (Cyber Centre), New Zealand National Cyber Security Centre (NCSC-NZ), and CERT-New Zealand (CERT NZ) are among the agencies that have issued warnings about these vulnerabilities. These organizations have urged network defenders to be proactive in hunting for malicious activity, updating their systems, and applying patches to mitigate the risks posed by these vulnerabilities.
CISA, in response to the Ivanti vulnerabilities, detected threat actors exploiting CVEs to implant web shells and harvest credentials. These threat actors used native Ivanti tools like freerdp and SSH for lateral movement within compromised networks, ultimately leading to full domain compromises. Despite efforts to detect compromise through integrity checking and forensic analysis, Ivanti’s ICT systems failed to identify the nefarious activities.
Organizations are advised to be cautious of rootkit-level persistence even after factory resets, as advanced threat actors can remain undetected for extended periods. Due to the significant risks posed by these vulnerabilities, it is recommended that enterprises reconsider their use of Ivanti Connect Secure and Policy Secure gateways in their environments.
To mitigate the risks associated with these vulnerabilities, cybersecurity experts recommend various steps, including choosing VPNs wisely, securing remote access tools, restricting outbound connections on SSL VPNs, using low-privilege accounts for LDAP bind in SSL VPNs, updating OS, software, and firmware regularly, and enforcing strong password policies. These measures are crucial in preventing unauthorized access and data breaches that could result from exploiting VPN flaws.
In conclusion, the exploitation of Ivanti VPN vulnerabilities highlights the ongoing threats posed by hackers to organizations’ cybersecurity. By staying vigilant, applying necessary patches, and following best practices recommended by cybersecurity experts, organizations can strengthen their defense against cyber attacks and protect their sensitive data and communications from unauthorized access.