Ivanti reported on two new high-severity bugs affecting Ivanti Connect Secure and Policy Secure products, one of them of which has been exploited in the wild.
The flaw exploited in the wild — CVE-2024-21893 — appears to be targeted, said Ivanti said in a Jan. 31 notice to customers where it also released patches.
Ivanti also said it expected a sharp increase in exploitation as the information becomes public, and that it's not aware that the other bug disclosed Wednesday — CVE-2024-21888 — has impacted any customers.
To add to the seriousness of these flaws, since initially writing about earlier Ivanti vulnerabilities on Jan. 12, Mandiant's researchers identified broad exploitation activity both by the original threat actor — UNC5221 — as well as various other uncategorized threat groups.
In a blog post Jan. 31, Mandiant now classifies UNC5221 as a suspected China-nexus espionage threat actor, and has seen a mitigation bypass technique used in the wild. This led to the deployment of a custom Webshell tracked as “BUSHWALK,” which allows the attacker to read or write to files on a server.
“After further analysis of UNC5221’s TTPs, Mandiant now suspects that UNC5221 is a Chinese-nexus threat actor,” said Charles Carmakal, Mandiant Consulting CTO. “We’re aware that Volexity initially suspected this, but Mandiant didn’t have enough data to independently determine UNC5221’s origin and corroborate this claim until now."
What the two new bugs mean to security pros
Patrick Tiquet, vice president, security and architecture at Keeper Security, added that these two new Ivanti vulnerabilities have massive implications, particularly now that one has been actively exploited in the wild; prioritizing them is absolutely necessary. Tiquet said the vulnerabilities, if exploited, can grant unauthorized access to sensitive systems and compromise an entire network.
Tiquet also pointed out that the Cybersecurity and Infrastructure Security Agency (CISA) determined these flaws posed an unacceptable risk and issued its first emergency directive of 2024, ordering federal civilian executive branch agencies to apply the patch immediately.
“Organizations need to take every precaution and follow Ivanti’s guidance exactly to prevent potential compromise of their systems,” said Tiquet. “These unpatched instances will remain ripe fodder for bad actors to leverage to gain authentication information and potentially access sensitive information.”
Nation-state actors UNC5221 have successfully targeted and exploited vulnerabilities in Ivanti to steal configuration data, modify existing files, download remote files, and reverse tunnel within networks, said Ken Dunham, cyber threat director at the Qualys Threat Research Unit. Dunham said the actors deployed malware, including THINSPOOL, ZIPLINE, and WARPWIRE in addition to other payloads as part of documented attacks.
“Organizations using Ivanti that are subject to supply chain and nation-state targeted attacks must prioritize this patch given ongoing targeted and successful activity by UNC5221,” said Dunham. “Ivanti is likely targeted due to the functionality and architecture it provides actors, if compromised, as a networking and VPN solution, into networks and downstream targets of interest.”
For a good roundup of these Ivanti flaws, see Charles Carmakal’s recent LinkedIn post.
