Researchers recently warned that multiple China-based threat groups are leveraging a series of vulnerabilities in Ivanti products, which have been widely exploited for several months. Cybersixgill continues to detect tools on the underground for exploiting the flaws, which affect Ivanti's Connect Secure VPN and Policy Secure network access control (NAC) appliances.
THE HEADLINE
A recent report was released warning about a trio of vulnerabilities affecting the products of IT management and security software developer Ivanti. These products are Connect Secure[1] (ICS) and Policy Secure[2] (IPS) network access control[3] (NAC) appliances. The first of these vulnerabilities is tracked as CVE-2023-46805 and is being exploited as an authentication bypass to access restricted resources. The second vulnerability, CVE-2024-21887, is a command injection[4] vulnerability that allows authenticated administrators to execute arbitrary commands.
The third vulnerability, CVE-2024-21893, enables threat actors to access restricted resources without authentication. The latest surge of attacks exploiting these vulnerabilities has been attributed to multiple Chinese state-sponsored advanced persistent threat (APT) groups. During this campaign, one of these APT’s reportedly zeroed in on U.S.-based organizations in the defense and energy industries, which is consistent with the activity of other Chinese groups seeking to harm Western targets. Researchers characterize the Chinese APT activity as “probing” infrastructure, without succeeding in actually compromising any ICS instances.
A variety of malware strains were detected during these campaigns, including backdoors[5] to provide covert access to compromised systems over long periods of time. Such malware also helps threat actors remain under the radar. After gaining a foothold, these threat actors were also observed targeting vulnerabilities in VMware and Microsoft tools. In addition to China-based APTs, financially motivated cybercriminals have also tried to capitalize on CVE-2023-46805 and CVE-2024-21887 in illegal crypto-mining schemes.
While a total of at least five China-based APTs have been identified attempting to exploit the three vulnerabilities, an additional threat group was observed leveraging CVE-2023-46805 and CVE-2024-21887 prior to Ivanti’s disclosure. Exploitation of the trio of vulnerabilities began several months ago and the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory in February 2024 warning the public about the threat these vulnerabilities pose.[6]
Currently, there are patches available for all three vulnerabilities.
DIVING DEEPER
Amid reports about exploitation of Ivanti vulnerabilities during the past several months, Cybersixgill detected a threat actor on a popular Russian-language cybercrime forum advertising exploits for Ivanti products. This threat actor is a highly active member of the forum, with a Cybersixgill reputation score of 9/10, reflecting their status as a credible source of malicious tools.
According to this actor, their Ivanti exploits for CVE-2024-21893 (and CVE-2023-38043) are so-called private implementations, meaning they were not sourced from publicly accessible proofs-of-concept (PoCs) available on well-known platforms. While this claim has not been independently verified, it could mean that the actor’s exploits pose a greater threat to vulnerable systems than previously observed PoCs.
This threat actor also claimed that the exploits are sold with “easy-to-navigate” GUIs and can pass sessions to and from command-and-control[7] (C2) systems. These features are certainly selling points that would make the tools easier to use in attack chains. Finally, the actor also claimed that they provide the source codes for their exploits, increasing their value. In general, the actor exhibits attention to operational security (OPSEC) measures (no publicly available contact info, use of forum guarantor, etc.), which also speaks to their reliability.
In addition to the exploits for Ivanti, this actor also advertised similar tools for remote code execution (RCE) vulnerabilities in Microsoft Outlook (CVE-2024-21413),[8] ScreenConnect RCE (CVE-2024-1709), Microsoft Windows Internet Shortcut SmartScreen Bypass Exploit (CVE-2024-21412), and JetBrains (CVE-2024-27198).
Figure 1: A cybercrime forum member advertises exploits for CVE-2023-38043 and CVE-2024-21893
In addition, Cybersixgill also detected multiple posts related to CVE-2023-46805 and CVE-2024-21887 on cybercrime-oriented channels hosted by a popular instant messaging platform. For example, the post below (Figure 2) contains tools for those vulnerabilities, including a scanner[9] to identify ICS appliances affected by CVE-2023-46805. The post below also contains a PoC for CVE-2024-21887 posted by a different user.
While the original creators of these PoCs identify themselves as cybersecurity intelligence researchers, these tools are now being distributed on a channel that caters to cybercriminals, which had over 6,800 subscribers as of April 8, 2024. Distribution of these tools in sources such as this increases the likelihood that these vulnerabilities will be exploited in the wild.
Figure 2: Tools to exploit Ivanti flaws circulating among threat actors
TAKEAWAYS
The exploitation of CVE-2023-46805/CVE-2024-21887/CVE-2024-21893 poses a significant risk to exposed Ivanti instances. Threat actors could leverage these flaws to compromise exposed instances of ICS/IPS and perform a wide range of malicious operations, including malware delivery, data theft, and extortion.
These vulnerabilities have already been leveraged in multiple waves of attacks, Cybersixgill not only observed scanners for these vulnerabilities, there were also clear indications of threat actors seeking to exploit Ivanti products. As the posts in this report illustrate, threat actors are also attempting to monetize tools to leverage these flaws. Therefore, all affected users should implement the mitigation strategies recommended by Ivanti to thwart exploitation attempts by cybercriminals.
[1] Ivanti Connect Secure (ICS) provides encrypted remote access to corporate resources, applications, files, and data to protect organizations from unauthorized access.
[2] Ivanti Policy Secure (IPS) is a network access control that administrators use to define and enforce policies for
network connections and access levels.
[3] Network access control (NAC) appliances are hardware devices or software products that enforce security protocols on the network perimeter or within network infrastructure, monitoring devices accessing the network.
[4] Command injection attacks execute arbitrary commands on host operating systems via vulnerable applications.
[5] Backdoor malware provides threat actors remote access to internal devices that can be used as a launchpad for further lateral movement within networks.
[6] https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b
[7] Attackers use command-and-control (C2) servers to send commands to compromised systems and receive stolen data from target networks.
[8] Threat actors use remote code execution to control systems and networks to which they lack direct access.
[9] A scanner is an automated tool to identify exposed instances that could be compromised due to vulnerabilities in software applications, networks, or systems.