Five Eyes Agencies Warn of Active Exploitation of Ivanti Gateway Vulnerabilities

05-03-2024
Share
Five Eyes Agencies Warn of Active Exploitation of Ivanti Gateway Vulnerabilities

The Five Eyes (FVEY) intelligence alliance has issued a new cybersecurity advisory warning of cyber threat actors exploiting known security flaws in Ivanti Connect Secure and Ivanti Policy Secure gateways, noting that the Integrity Checker Tool (ICT) can be deceived to provide a false sense of security.

To date, Ivanti has disclosed five security vulnerabilities impacting its products since January 10, 2024, out of which four have come under active exploitation by multiple threat actors to deploy malware –

  • CVE-2023-46805 (CVSS score: 8.2) – Authentication bypass vulnerability in web component
  • CVE-2024-21887 (CVSS score: 9.1) – Command injection vulnerability in web component
  • CVE-2024-21888 (CVSS score: 8.8) – Privilege escalation vulnerability in web component
  • CVE-2024-21893 (CVSS score: 8.2) – SSRF vulnerability in the SAML component
  • CVE-2024-22024 (CVSS score: 8.3) – XXE vulnerability in the SAML component

Mandiant, in an analysis published this week, described how an encrypted version of a malware known as BUSHWALK is placed in a directory excluded by ICT in /data/runtime/cockpit/diskAnalysis.

Ivanti Gateway Vulnerabilities

They also urged organizations to “consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment.”

Data shared by web security company Akamai shows that approximately 250,000 exploitation attempts have been detected per day, targeting over 1,000 customers from more than 3,300 unique attacking IP addresses located in 18 different countries.

Ivanti, in response to the advisory, said it’s not aware of any instances of successful threat actor persistence following the implementation of security updates and factory resets. It’s also releasing a new version of ICT that it said “provides additional visibility into a customer’s appliance and all files that are present on the system.”

 

Source: https://thehackernews.com/