Warning: Threat actors getting around some Ivanti mitigations

Cyber authorities in the U.S. and Australia have issued new warnings to IT administrators to take more action to protect Ivanti Connect Secure and Policy Secure Gateways. At the same time, Ivanti revealed that two new vulnerabilities for the devices have been discovered, on top of a pair revealed earlier this month.

The latest vulnerabilities are CVE-2024-21888, a privilege escalation vulnerability affecting Policy Secure, and CVE-2024-21893, a server-side request forgery vulnerability affecting supported versions of Connect Secure and Policy Secure Gateways.

Ivanti today issued a patch for Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3. that covers the new holes. More patches are coming.

“Out of an abundance of caution, we are recommending as a best practice that customers factory reset their appliance before applying the patch, to prevent the threat actor from gaining upgrade persistence in your environment,” Ivanti said this morning.  Customers should expect the reset process to take three to four hours.

The remaining patches for supported versions will still be released on a staggered schedule, Ivanti adds.

Australia’s Cyber Security Centre said this morning it is aware of reports that threat actors have developed workarounds to some mitigation and detection methods, leading to reported ongoing exploitation activity.

The Centre “strongly advises organizations operating vulnerable Ivanti Connect Secure and Ivanti Policy Secure products to conduct investigation and monitoring for potential compromise of systems,” the alert says. IT administrators should monitor authentication, account usage and identity management services, and consider isolating systems from any enterprise resources as much as possible.

The U.S. issued a similar warning on Tuesday.

“Threat actors are continuing to leverage vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways to capture credentials and/or drop webshells that enable further compromise of enterprise networks,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said. “Some threat actors have recently developed workarounds to current mitigations and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without detection. CISA is aware of instances in which sophisticated threat actors have subverted the external integrity checker tool (ICT), further minimizing traces of their intrusion.”

If an organization has been running Ivanti Connect Secure (9.x and 22.x) and Policy Secure gateways over the last several weeks and/or continues to run these products, CISA recommends continuous threat hunting on any systems connected to — or recently connected to — the Ivanti device. Additionally, it said, organizations should monitor authentication, account usage, and identity management services that could be exposed, and isolate the system(s) from any enterprise resources as much as possible.

After applying patches, when these become available, CISA recommends that organizations continue to hunt their networks to detect any compromise that may have occurred before patches were implemented.

These warnings to take mitigation action come almost three weeks after Ivanti issued its first alert of an authentication bypass vulnerability (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887) in the devices.

Also today, Mandiant issued an update to its background blog on the vulnerabilities.  Mandiant has identified zero-day exploitation of these vulnerabilities in the wild, beginning as early as Dec. 3, 2023, by a suspected China-nexus espionage threat actor.

Mandiant notes that a threat actor found a way to get around Ivanti’s recommended mitigation, released Jan. 10, for the first pair of vulnerabilities. That bypass led to the deployment of a custom webshell. Mandiant believes the mitigation bypass activity is “highly targeted, limited, and is distinct from the post-advisory mass exploitation activity.” However, using Ivanti’s external integrity checker tool (ICT) successfully detected the presence of the new webshell.

Mandiant notes Ivanti’s external ICT should be used by IT administrators for reviewing logs, because it is more robust and resistant to tampering than the internal version.

The blog also outlines indicators of compromise.