Security operations · 2 MIN READ · AARON WALTON · MAR 1, 2024 · TAGS: Alert / Cloud security / MDR / Vulnerability
The Cybersecurity and Infrastructure Security Agency (CISA) believes threat actors are exploiting Ivanti Connect Secure and Policy Secure zero-day vulnerabilities. Here’s what you need to know.
What happened?
In the last few months, cybersecurity professionals and threat actors alike identified zero-day vulnerabilities with Ivanti Connect Secure and Policy Secure products. The Cybersecurity and Infrastructure Security Agency (CISA) believes that actors exploiting these devices can evade Ivanti’s internal and external Integrity Checker Tool (ICT), ultimately resulting in a failure to detect compromise. CISA reports that multiple vulnerabilities are still being actively exploited, and warns users to ensure their devices are patched and up to date.
If you use Ivanti Connect Secure or Ivanti Policy Secure Gateway, you should read on and take the recommended actions. If not, you can rest easy—this doesn’t apply to you.
Why does it matter?
Threat actors are exploiting the following zero-day vulnerabilities in Ivanti Connect Secure and Policy Secure Gateway:
Criminals exploiting these Ivanti products can gain unauthorized access to networks, and once in, they can make it difficult for operators to detect their activity, apply patches, or activate factory resets. These risks highlight the importance of ensuring these devices are patched, up-to-date, and properly configured.
What should you do right now?
CISA recommends in its Joint Cybersecurity Advisory to limit outbound internet connections from SSL VPN immediately to restrict access to required services, and also limit SSL VPN connections to unprevileged accounts. More strategically, you should also ensure a ‘least privileged’ approach is implemented for all accounts. It also urges organizations to keep all operating systems and firmware up to date. Consider what threat actor access to and persistence on these devices might entail and determine whether it’s worth the risk to continue operating them in your environment.
More specifically, CISA urges operators to:
- Assume that user and account credentials stored within the affected Ivanti VPN appliances are likely compromised;
- Hunt for malicious activity on their networks using these indicators of compromise (IOCs):
- Run Ivanti’s most recent external ICT; and
- Apply available patching guidance by Ivanti as it publishes version updates.
CISA warns that the safest course of action for users is to assume a sophisticated threat actor may have deployed rootkit level persistence on a device that was reset and lay dormant, as sophisticated actors may remain silent on compromised networks for long periods.
What next?
We’re monitoring this situation closely as it unfolds. We’ll update this post with big developments, but look out for any updates from CISA and keep an eye on our socials (@ExpelSecurity) for any important additional recommendations as they emerge.
