The US Cybersecurity and Infrastructure Security Agency (CISA) is warning government agencies to immediately patch the newly discovered Ivanti flaws as they are being used in the wild to compromise vulnerable endpoints.
The CISA alert warns agencies of the Federal Civil Executive Branch (FCEB) about two flaws: CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (code injection).
The vulnerabilities were found in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) and allow threat actors to execute arbitrary commands on the endpoints.
Thousands of victims
Since January 11 of this year, a “sharp increase” in attacks has been observed, CISA warned. However, government agencies do not appear to be exclusive targets, as researchers observed organizations being attacked indiscriminately. So far, both small businesses and some of the world's largest organizations, operating in different industries including aerospace, banking, defense and government, have been victims.
“Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, conduct a data breach, and establish persistent system access, resulting in a complete compromise of the targeted information systems,” the agency said.
It was said that Ivanti has not yet released a patch for the flaws. In the meantime, it published mitigation measures that include importing an XML file into the affected products, thus performing the necessary reconfigurations.
Additionally, CISA said companies should first run an external integrity check tool to see if their endpoints were compromised. If signs of foul play are found, it is necessary to disconnect the devices, reset them, and then enter the XML file. Additionally, FCEB agencies must revoke and reissue certificates, reset administrator credentials, store API keys, and reset local user passwords.
Zero-days were first detected in December last year by a Chinese state-sponsored threat actor tracked as UTA0178. Since then, the group successfully compromised over 2,000 devices worldwide and used the leverage to install passive backdoors and deploy web shells.
Via TheHackerNews