Ivanti VPN Zero-Day Actively Exploited
January 11, 2024
Introduction
Two zero-day vulnerabilities have recently been uncovered in the widely used Ivanti VPN devices, which are actively being exploited. This article delves into the details of these security breaches, exploring their nature, exploitation tactics, implications, and recommended remediation actions.
Overview of the Ivanti Zero-Day Exploits
Cybersecurity firms Volexity and Tenable reported the active exploitation of two zero-day vulnerabilities in Ivanti Connect Secure devices, formerly known as Pulse Connect Secure. CVE-2023-46805 and CVE-2024-21887 vulnerabilities allow authentication bypass and command injection, providing attackers unbridled access to sensitive systems and data.
Understanding the Vulnerabilities
CVE-2023-46805 is an authentication bypass vulnerability, allowing attackers to circumvent control checks and access restricted resources. This vulnerability has a CVSS (Common Vulnerability Scoring System) score of 8.2, indicating a high severity level.
On the other hand, CVE-2024-21887 is a command injection vulnerability, enabling attackers to execute arbitrary commands on compromised systems. With a CVSS score of 9.1, this vulnerability is of critical severity.
The Exploitation Chain
Both vulnerabilities were exploited in a series of targeted cyber-attacks, most notably by an unknown threat actor tracked as UTA0178, believed to be a Chinese nation-state-level threat actor. The attacker used these vulnerabilities in a chain to achieve unauthenticated remote code execution, compromising the victim's network and gaining the ability to execute commands on the system.
The Attack Timeline
Volexity detected suspicious activity on its network in the second week of December 2023. After a thorough investigation, the cybersecurity firm traced the activity back to the organization's Internet-facing Ivanti Connect Secure VPN appliance. Reviewing the device's network traffic revealed suspect outbound and inbound communication, indicating that the device had been compromised since early December.
The Forensic Investigation
Volexity and its customers worked closely with Ivanti to obtain disk and memory images from the impacted devices. The forensic analysis of the collected data revealed the attacker's tools, malware, and operating methods.
The most significant finding was the discovery of the exploit chain used by the attacker. By analyzing a memory sample, Volexity determined that the attacker used two zero-day exploits in a sequence to achieve unauthenticated remote code execution.
Attack Methodology
The attacker exploited the vulnerabilities to steal configuration data, modify existing files, download remote files, and reverse tunnel from the Ivanti Connect Secure VPN appliance. They also planted webshells on multiple internal and external-facing web servers, which they used for persistent access to the network.
The GLASSTOKEN Webshell and Variants
The attacker deployed a custom webshell, labeled GLASSTOKEN, on the compromised systems to maintain persistence in the network. This webshell allowed the attacker to execute commands on the compromised systems, providing them with continued access even if the exploited vulnerabilities were patched.
Two variations of the GLASSTOKEN webshell were identified during the investigation. The first version had two code paths, depending on the parameters present in the request. It was used to relay a connection and execute arbitrary PowerShell commands. The second version was almost identical to the first but lacked the native tunneling capability.
Credential Theft, Lateral Movement, and Network Recon
The attacker used several methods to steal credentials and move laterally in the network. They dumped the memory of the LSASS process using Task Manager, accessed a system containing Virtual Hard Disk backups, used a script to dump credentials from Veeam backup software, and modified a JavaScript loaded by the Web SSL VPN login page to capture entered credentials.
Once they had access to the network, the attacker performed extensive reconnaissance, exploring systems, examining user files, and testing system access. They also deployed webshells to multiple systems, providing a backup method for network access.
Detecting and Responding to the Compromise
Organizations can use several methods to detect compromise, including network traffic analysis, VPN device log analysis, and execution of Ivanti's Integrity Checker Tool. If signs of compromise are identified, collecting logs, system snapshots, and forensic artifacts for analysis is crucial.
- Network Traffic Analysis - Analyzing anomalous traffic originating from VPN appliances can reveal signs of compromise. Outbound network traffic from the VPN appliance can be examined for connections atypical of the device, such as SSH connections to remote IPs or encrypted connections to hosts not associated with device updates.
- VPN Device Log Analysis - VPN device logs can also be a valuable resource for detecting threats. These logs can show if logs have been wiped or disabled, requests for files in valid but atypical paths, and detections from the Integrity Checker Tool.
- The Integrity Checker Tool - Ivanti provides an Integrity Checker Tool that can be run on Ivanti Connect Secure VPN appliances. This tool can identify new or mismatched files, providing strong evidence of a compromised device.
Mitigations and Recommendations
While Ivanti has released a mitigation script for immediate use, patches for the vulnerabilities are not yet available. Organizations are advised to implement the mitigation immediately and prepare to apply the patches as soon as they are released.
Looking Forward
The exploitation of these vulnerabilities underscores the importance of robust cybersecurity measures. As attackers continue to target critical devices like VPN appliances and firewalls, organizations must ensure they have monitoring systems to detect unusual activity and respond quickly to potential threats.
Conclusion
The Ivanti zero-day exploits represent the latest in a series of cybersecurity threats targeting VPN devices. The incident underscores the importance of vigilance, rapid response, and robust security measures in protecting against such threats. Organizations must stay informed about the latest security vulnerabilities as we move forward and ensure they are prepared to respond promptly and effectively to potential attacks.
TL;DR
This article explores two critical zero-day vulnerabilities in Ivanti Connect Secure VPN devices, CVE-2023-46805 and CVE-2024-21887, allowing unauthenticated remote code execution. Discovered in early 2024, these vulnerabilities have been exploited in targeted cyber-attacks, notably by a suspected Chinese nation-state actor, leading to system compromises and data breaches. The article details the attackers' use of a custom webshell, GLASSTOKEN, for persistent access, credential theft, and lateral movement within networks. It emphasizes the importance of rapid detection, response, and the implementation of robust cybersecurity measures to mitigate the risk of such attacks, particularly on critical VPN infrastructure.
References
https://www.volexity.com/blog/...