In a recent development, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning indicating that threat actors are taking advantage of previously identified vulnerabilities in Ivanti software. The vulnerabilities in question, known as CVE-2023-46805, CVE-2024-21887, CVE-2024-2204, and CVE-2024-21893, impact Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) gateways. Two of these vulnerabilities, CVE-2023-46805 and CVE-2024-21887, were exploited by threat actors even before patches were made available. Volexity and Mandiant linked the exploitation of these flaws to a Chinese state-sponsored actor.
Following reports of exploitation, CISA directed Federal Civilian Executive Branch agencies to disconnect all ICS and IPS devices as a precautionary measure. Ivanti, on its part, advised customers to utilize its internal and external Integrity Checker Tool (ICT) to identify compromises. Despite releasing an updated external tool in January due to manipulation by attackers, CISA and collaborating organizations recently discovered inadequacies in the ICT.
During incident response engagements, CISA determined that Ivanti’s ICT failed to detect compromise. The agency’s independent research confirmed the tool’s shortcomings, indicating that threat actors could establish root-level persistence even after factory resets. Investigations uncovered a pattern where attackers exploited vulnerabilities to gain entry, deploy web shells, steal credentials, move laterally within systems, and ultimately compromise domain security.
Despite Ivanti’s efforts to address the situation by updating its ICT, CISA’s advisory highlighted the tool’s ineffectiveness based on real-world scenarios. The agency’s researchers were able to extract domain administrator credentials, establish root-level persistence, and bypass integrity checks using the vulnerabilities. CISA now advises organizations using ICS and IPS to carefully assess the risks associated with continuing to operate these devices in their networks.
In response to CISA’s findings, Ivanti defended the efficacy of its updated ICT and encouraged customers to combine it with continuous monitoring. The company emphasized the importance of applying available patches and running the latest version of the ICT to detect potential threats. Ivanti’s reassurances were supported by the belief that threat actors would be unable to persist in customer environments post-patching and factory resets.
Additionally, Ivanti addressed misconceptions surrounding federal agencies’ directives to unplug devices, clarifying that the initial instructions were misinterpreted by the media. The company reiterated its commitment to addressing security concerns and providing updates to enhance customer protection. It also responded to criticisms related to its Pulse Secure firmware, acknowledging the need for ongoing vigilance in safeguarding against cyber threats.
In conclusion, the evolving landscape of cybersecurity necessitates proactive measures from both vendors and customers to mitigate risks and safeguard sensitive data. Collaborative efforts between organizations like CISA, Ivanti, and industry partners are crucial in combating threat actors and reinforcing the resilience of digital infrastructure.