Researchers suspect an espionage-focused threat group linked to China is behind the exploitation of a pair of newly discovered zero-day bugs in Ivanti VPN appliances.
Meanwhile, Volexity disclosed in a Dec. 10 blog its researchers uncovered an exploit chain the threat actor used after detecting suspicious lateral movement on the network of one of its customers. Ivanti confirmed the authentication bypass and command injection vulnerabilities on its website.
The vulnerabilities are an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887) bug affecting fully-patched Ivanti Connect Secure (formerly known as Pulse Connect Secure) and Policy Secure appliances.
“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system, Ivanti said in a Jan. 10 advisory.
CVE-2023-46805 has an 8.2 CVSS rating and is described as an authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure that “allows a remote attacker to access restricted resources by bypassing control check.”
The second bug, CVE-2024-21887, has a 9.1 CVSS rating and is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that “allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
In the wild exploitation
In-the-wild exploitation of the bugs was observed by researchers at Volexity who said in a post that while they could not identify the group responsible, they believed it was a Chinese nation-state-level threat actor.
Ivanti said it had created a mitigation to be applied to the gateways as an initial response while patches for the bug were developed. Patches would be released in a staggered schedule beginning the week of January 22.
“We are providing mitigation now while the patch is in development to prioritize the best interest of our customers. It is critical that you immediately take action to ensure you are fully protected,” the vendor said.
“We are aware of less than 10 customers impacted by the vulnerabilities. We are unable to discuss the specifics of our customers.”
Researchers noted that attackers that have abused the flaw largely lived off the land, and deployed a handful of malware files and tools consisting of webshells, proxy utilities and file modifications to allow credential harvesting.
Ivanti recommends all of its customers to run the workaround it released via its download portal while awaiting a staggered patch schedule to be released the week of Jan. 22 through Feb. 19.
Edge appliances vulnerable to espionage attacks
Volexity’s researchers said as attackers looked to bypass organizations’ cyber defenses, internet-accessible systems, especially critical devices like VPN appliances and firewalls, had become a favorite target.
“These systems often sit on critical parts of the network, cannot run traditional security software, and typically sit at the perfect place for an attacker to operate,” they said.
“Organizations need to make sure they have a strategy in place to be able to monitor activity from these devices and quickly respond if something unexpected occurs.”
Researchers with Google-owned cybersecurity firm Mandiant has also been working with Ivanti to address the vulnerabilities and shared its findings on its blog Jan. 11. Mandiant said it believed the threat actor is not known and is tracking it as UNC5221.
The Mandiant researchers said once the two bugs were successfully exploited, the threat actor leveraged several custom malware families. In several cases the malware was used to trojanize legitimate files within the Connect Secure appliance. The threat actor was also observed leveraging the PySoxy tunneler and BusyBox to enable post-exploitation activity.
“The targeting of edge infrastructure with zero-day vulnerabilities has been a consistent tactic leveraged by espionage actors to enable their operations,” the researchers said.
“Additionally, Mandiant has previously observed multiple suspected APT actors utilizing appliance specific malware to enable post-exploitation and evade detection. These instances, combined with Volexity’s findings around targeting, leads Mandiant to suspect this is an espionage-motivated APT campaign.”
CISA adds bugs to Known Exploited Vulnerabilities bulletin
The Cybersecurity and Infrastructure Security Agency (CISA) has added the two vulnerabilities to its Known Exploited Vulnerabilities Catalog. As a consequence, all U.S. Federal Civilian Executive Branch government agencies have until Jan. 31 to mitigate the bugs in any affected appliances. Just last week, Ivanti patched an unrelated critical vulnerability, with a CVSS score of 9.6, in its endpoint manager (EPM) software that could have let an attacker with internal access launch a remote code execution attack.
Tenable’s Satnam Narang, a senior staff research engineer, said the lack of patch for the zero-days was a concern, as the available mitigations are on the end-users knowing about the vulnerabilities and applying the mitigations. However, Narang urged impacted organizations to apply the mitigations as soon as possible and expected malicious activity to spike when a proof of concept is available for the exploit chain.
Ivanti patched a critical vulnerability on Jan. 4 in its endpoint management software that could be used to launch a remote code execution.