What is it?
- Formerly known as Pulse Connect Secure, or simply Pulse Secure
- VPN software
- All supported versions (9.x and 22.x) of Ivanti Connect Secure and Ivanti Policy Secure are vulnerable to CVE-2023-46805 and CVE-2024-21887
Vulnerability
- CVE-2023-46805 an authentication-bypass vulnerability with a CVSS score of 8.2
- in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that allows a remote attacker to access restricted resources by bypassing control checks.
- CVE-2024-21887 a command-injection vulnerability found into multiple web components with a CVSS score of 9.1
- in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet
Impact
Source: Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/
- As early as 3 December
- Lateral movement after exploiting vulnerabilities on the Connect Secure (ICS) VPN appliance
- Logs wiped, logging disabled
- Two different zero days chained together to achieve unauthenticated remote code execution (RCE)
- Steal configuration data
- Modify existing files
- Download remote files
- Reverse tunnel from the ICS VPN appliance.
- Credential harvesting
UTA0178: Chinese nation-state-level threat actor
- Essentially living off the land,
- A handful of malware files and tools during the course of the incident
- Webshells
- GLASSTOKEN: A Custom Webshell
- adding a webshell GIFTEDVISITOR to legitimate visits.py
- Proxy utilities
- File modifications
- Credential harvesting
- JS credential theft
- Legitimate lastauthserverused.js
- Use credentials they had compromised to log into various workstations and servers and dump the memory of the LSASS process to disk using Task Manager
- Virtual Hard Disk backups, which included a backup of a domain controller. They mounted this virtual hard disk and extracted the Active Directory database ntds.dit file from it, and compressed it using 7-Zip
- an instance of Veeam backup software that was in use and used a script available on GitHub to dump credentials from it.
- Modified JavaScript loaded by the Web SSL VPN login page for the ICS VPN Appliance to capture any credentials entered in it.
Detecting compromise
Network traffic analysis
- Anomalous traffic originating from their VPN appliances
- Curl requests to remote websites
- SSH connections back to remote IPs
- Encrypted connections to hosts not associated with SSO/MFA providers or device updates
- RDP and SMB activity to internal systems
- SSH attempts to internal systems
- Port scanning against hosts to look for systems with accessible services
VPN device log analysis
- Logs can be accessed via System -> Log/Monitoring from the admin interface
- Enable the setting to log “Unauthenticated Requests”
- This means that you cannot tell from logs if the server is being exploited.
Execution of the Integrity Checker Tool
- Running the Integrity Checker Tool will reboot the ICS VPN appliance, which will result in the contents of system memory largely being overwritten. If you have indicators of compromise prior to running this tool, it is recommended to not run the tool until you can collect memory and other forensic artifacts.
Shodan query: http.favicon.hash:-1439222863
Source: Ivanti Connect Secure VPN Exploitation Goes Global https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/
- Mitigation does not remedy an active or past compromise
- On January 11, 2024 widespread scanning by someone familiar with the vulnerabilities.
Source: Ivanti Connect Secure VPN Exploitation: New Observations https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/
- Proof-of-concept code for the exploit was made public
- UTA0178: modifications to the in-built Integrity Checker Tool. These modifications would result in the in-built Integrity Checker Tool always reporting that there were no new or mismatched files regardless of how many were identified
- Ensure the total file count will include any new or mismatched files, and that the new and mismatched file count displayed in logs is always set to zero.
- XMRig cryptocurrency miners
- Apply the mitigation after importing any backup configurations in order to prevent potential re-compromise of a device that was thought to be mitigated
Workaround
Source: KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
- Importing mitigation.release.20240107.1.xml file via the download portal
- There is no need to reboot or restart services under the Ivanti Secure Appliance when applying the XML file, but please note that the external ICT will reboot the system./li>
- Limitations: Ivanti did not test the mitigation on unsupported versions. Upgrade to a supported version before applying the mitigation./li>
- The workaround is not recommended for a license server. We recommend minimizing who can connect to a license server. For example, place a license server on a management VLAN, or have a firewall enforce source-IP restrictions./li>
Source: ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities https://www.cisa.gov/news-events/directives/ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure-vulnerabilities
CISA requires agencies to apply mitigation before Monday 22-Jan
Great write up on this and documenting the IOCs