⚠️ want a highly impactful, actively exploited border gateway zero days situation to wake you up?
Ivanti Pulse Secure aka Ivanti Connect Secure and Ivanti Policy Secure Gateway customers - prepare to deploy mitigations and await follow on patches.
In the wild exploitation, probable nation state - includes authentication (including MFA) bypass and code execution.
Looks like Ivanti have done a really good job identifying.
I call it ConnectAround. #threatintel #connectaround
Here is a public advisory for #ConnectAround, two actively exploited zero days in Ivanti Connect Secure aka Ivanti Pulse Secure
https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
A Shodan search for #ConnectAround
html:"welcome.cgi?p=logo"
https://beta.shodan.io/search?query=html%3A%22welcome.cgi%3Fp%3Dlogo%22
Combine it with ssl:yourorg or org:yourorg to find your devices
Companion blog for #ConnectAround https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-ivanti-policy-secure-gateways
Mandiant and Volexity found it, in the wild.
"We are unable to discuss the specifics of our customers."
Yeah, but there's nothing stopping them from providing a wealth of general details that wouldn't out the affected customers at all.
@dangoodin @GossiTheDog You'd think after all of us, collectively, in the infosec community roasting every poor response for 10 years+ they'd learn that being SAFELY transparent is always the correct response.
This is a scummy response that taints them even further in my eyes and I will resist using any of their products, services, or anything in the future based on this sort of behavior.
I am not alone in that line of thinking and it may not be a big impact, but it adds up the more people think like I do.
Kevin Beaumont
Dan Goodin
NosirrahSec 🏴☠️ guillotine enthusiast