Chinese Threat Actor Exploits Zero-Day Vulnerabilities in Ivanti Secure VPN to Compromise Systems

Ivanti Secure VPN, a widely used VPN solution, has recently been found to have two zero-day vulnerabilities. These vulnerabilities are currently being exploited by a Chinese threat actor known as UTA0178. By exploiting these vulnerabilities, attackers can remotely execute code without any authentication, potentially compromising affected systems.

Ivanti has published an official security advisory and knowledge base article detailing the zero-day vulnerabilities. The vulnerabilities, named CVE-2023-46805 and CVE-2024-21887, affect all supported versions of Ivanti Connect Secure (previously known as Pulse Connect Secure) and Ivanti Policy Secure Gateways.

CVE-2023-46805 is an authentication bypass vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure. It allows attackers to bypass control checks and access restricted resources.

CVE-2024-21887 is a command injection vulnerability in the web components of Ivanti Connect Secure and Ivanti Policy Secure. Authenticated administrators can send specially crafted requests to execute arbitrary commands on the appliance, posing a risk of exploitation via the internet.

When combined, these two vulnerabilities enable attackers to run commands on affected appliances.

According to Patrice Auffret, the founder, CEO, and CTO of ONYPHE, a cyber defense search engine, there are approximately 29,664 Ivanti Secure VPN appliances connected to the internet. Of those exposed systems, over 40% are in the United States, followed by Japan (14.3%) and Germany (8.48%).

The vulnerabilities were discovered by U.S.-based cybersecurity company Volexity during an incident response investigation. The investigation revealed that the threat actor, UTA0178, had modified files on the Ivanti Connect Secure VPN appliance. Files such as “/tmp/rev,” “/tmp/s.py,” “/tmp/s.jar,” “/tmp/b,” and “/tmp/kill” were found. Additionally, a Python-based proxy utility known as PySoxy was discovered, believed to be the file “s.py.”

UTA0178 deployed webshells and modified files to steal credentials and access systems throughout the network. They collected newly harvested credentials, dumped a full image of the Active Directory database, and modified the JavaScript on the VPN appliance’s web login page to capture credentials. The stolen credentials were sent to an attacker-controlled domain.

The threat actor also deployed a custom webshell called GLASSTOKEN. There are two versions of GLASSTOKEN, with the first version allowing connection relaying and executing PowerShell commands. The second version only permits code execution.

To detect potential threats, network traffic analysis, VPN device log analysis, and the use of an integrity checker tool are recommended. Ivanti also provides a mitigation method until a full patch is available.

It is important for organizations using Ivanti Secure VPN to follow Ivanti’s instructions and take appropriate measures to protect their systems.

Unlock your business potential with our expert guidance. Get in touch now!

charts-graphs-data-2-Kittiphat-adobe.jpg

NasuniIQ Introduces Visual Representation for Handling Large Unstructured Datasets

tr-todoist-alternatives.jpg

Top 7 Todoist Alternatives & Competitors to Consider in 2024

searchEnterpriseAI_055.png

Birmingham City Council Seeks an Additional £45m to Address Critical Issues with Oracle System

tr_20240216-microsoft-powershell-certification-automation.jpg

Discover 6 PowerShell Courses That Teach Automating Admin Tasks at $20

music-drum-guitar-microphone-adobe.jpeg

Switch to Pure results in music agency cutting space and energy costs by half

tr_20240216-square-vs-onpay.jpg

A Comparison of Payroll Software: Square Payroll vs OnPay for 2024

Women-business-diversity-1-adobe.jpg

Tech Diversity Hindered by Misunderstandings and Underrepresentation