On January 15, 2024, cybersecurity firm Volexity observed widespread exploitation of Ivanti Connect Secure VPN Appliances. On January 16, 2024, the proof of concept code was made available, leading to the mass exploitation of Ivanti VPN devices.
This activity is linked to the exploitation of CVE-2023-46805 and CVE-2024-21887, which can be chained to enable unauthenticated remote code execution vulnerability.
CVE-2023-46805 is an authentication bypass vulnerability, while CVE-2024-21887 is a command injection vulnerability, both affecting Ivanti ICS 9.x, 22.x, and Ivanti Policy Secure.
Volexity found that the attacker could exploit the VPN vulnerabilities to “steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance.”
Ivanti publicly disclosed the vulnerability on January 10, 2024, when only a single-digit number of customers had been compromised.
Ivanti Connect Secure exploitation linked to a Chinese hacker.
Of particular interest was the Chinese threat actor UTA0178, who was observed dropping GiftedVisitor webshell on compromised devices. Volexity discovered 1,700 compromised Ivanti Connect Secure VPN devices infected with the Webshell variant.
Further scanning detected 368 additionally compromised Ivanti Connect Secure VPN appliances, pushing the number of GIFTEDVISITOR-infected devices to 2,100.
Companies compromised vary in size from small establishments to Fortune 500 companies in the following sectors:
- Government
- Telecommunications
- Military and Defense contractors
- Technology
- Financials, including Banking, Finance, and Accounting
- Consulting
- Engineering, Aerospace, and Aviation
Volexity also discovered UTA0178 modifying the Integrity Checker Tool to evade detection by underreporting the number of modified files. The attacker accomplished this by modifying a Python script ‘scanner/scripts/scanner.py.’
Volexity advised users to run an external Integrity Checker Tool “out of an abundance of caution” since the internal version might be tampered with.
UTA0178 also modified JavaScript files in the Web SSL VPN component to exfiltrate user credentials for internal propagation and network exploitation.
“The information and credentials collected by the attacker allowed them to pivot to a handful of systems internally, and ultimately gain unfettered access to systems on the network.”
The firm also discovered vulnerable VPN devices downloading Rust-based payload and XMRig cryptocurrency miners from the threat actors’ URLs.
While the initial Ivanti Connect Secure VPN exploitation bore the hallmarks of a state-sponsored hacking campaign, the discovery suggests financial motives.
Sometimes, hackers kill two birds with one stone by monetizing their access or intend to conceal cyberespionage by suggesting financial motives.
Usually, state-sponsored activity attracts more attention from the US government, inviting more assets into the mix, thus undermining the success of the hacking campaign. Therefore, hackers prefer to keep a hacking campaign on a low profile until they accomplish their objectives.
Volexity believes that UTA0178 continues to exploit Ivanti Connect Secure VPN vulnerabilities using automated methods.
Mitigated Ivanti Connect Secure VPN Appliances re-infected.
Volexity also discovered hackers re-infecting devices whose owners had applied the recommended mitigations. Re-infection occurs when the device owners apply mitigations before importing previous configuration files.
“In doing so, it appears the backup configuration negates or otherwise removes the mitigation that was put in place.”
Ivanti warned system administrators against pushing configs to appliances with mitigations because it “stops some key web services from functioning.”
Thus, “customers should stop pushing configurations to appliances with the XML in place and not resume pushing configurations until the appliance is patched.”
Leave a Reply