Exploitation of two zero-day vulnerabilities recently reported in Ivanti Connect Secure (ICS) and Policy Secure appliances has become widespread across multiple vertical industries.
In a Monday post, Volexity researchers reported more than 1,700 ICS VPN appliances worldwide were compromised.
Affected verticals include global government and military departments; national telecommunications companies, defense contractors, technology companies, banking, finance, accounting and consulting firms, as well as the aviation sector.
The researchers also said that additional threat actors beyond UTA0178 — the suspected China-based threat group originally reported — are actively trying to exploit devices.
“This exploitation has affected thousands of machines and may have infected many more,” wrote the Volexity researchers. “Volexity’s scan methodology would not have worked against organizations that have already deployed the Ivanti mitigation or had otherwise been taken offline. As a result, Volexity suspects there may likely be a higher number of compromised organizations than identified through its scanning.”
As SC Media reported on Jan. 12, the vulnerabilities are an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887) bug affecting fully-patched ICS (formerly known as Pulse Connect Secure) and Policy Secure appliances.
Ivanti recommended all of its customers to run the workaround it released via its download portal while awaiting a staggered patch schedule to be released from Jan. 22 through Feb. 19.
This most recent Ivanti news demonstrates how quickly the efforts of one threat actor group can be replicated and extended by others, leading to the exponential growth of attacks in the last few days, said John Gallagher, vice president of Viakoo Labs.
Gallagher said because these are targeting ICS VPN deployments, threat actors may aim for more than just data exfiltration. Organizations should use agentless asset and application discovery solutions to monitor their systems for changes to ICS device behavior or applications running on them, said Gallagher.
“Not only is patching required here, but it sounds like organizations should be prepared for frequent patching as more aspects of these zero-day vulnerabilities become known,” explained Gallagher. “Patching may be required for more systems than the Ivanti VPN as lateral movement occurs. Using an automated agentless firmware patching solution is needed here, as traditional, agent-based patching solutions do not work with ICS systems.”
Callie Guenther, senior manager, cyber threat research at Critical Start, added that in light of the recent widespread exploitation of two zero-day vulnerabilities in Ivanti products, security pros must undertake a series of specific and context-driven actions. First, Guenther said given that these vulnerabilities have been actively exploited by advanced threat actors such as the Chinese group UTA0178 and others, updating systems with Ivanti's provided patches is crucial for closing the security gap.
“Additionally, monitoring network traffic becomes vital, especially since the threat actors have demonstrated sophistication in exploiting these vulnerabilities globally, affecting a wide range of sectors,” said Guenther. “Security teams should look for anomalies that might indicate exploit attempts.”
Guenther added that regular vulnerability assessments and penetration testing also become more critical in this context, as they can uncover potential exploitable weaknesses in the network that might be similar to CVE-2023-46805 and CVE-2024-21887.
“Given the varied tactics of the suspected threat actors, comprehensive security protocols, including updated firewall rules and intrusion detection systems, are necessary to defend against both direct exploitation and secondary attacks like lateral movements or data exfiltration,” said Guenther.
