⚠️ want a highly impactful, actively exploited border gateway zero days situation to wake you up?
Ivanti Pulse Secure aka Ivanti Connect Secure and Ivanti Policy Secure Gateway customers - prepare to deploy mitigations and await follow on patches.
In the wild exploitation, probable nation state - includes authentication (including MFA) bypass and code execution.
Looks like Ivanti have done a really good job identifying.
I call it ConnectAround. #threatintel #connectaround
Here is a public advisory for #ConnectAround, two actively exploited zero days in Ivanti Connect Secure aka Ivanti Pulse Secure
https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
A Shodan search for #ConnectAround
html:"welcome.cgi?p=logo"
https://beta.shodan.io/search?query=html%3A%22welcome.cgi%3Fp%3Dlogo%22
Combine it with ssl:yourorg or org:yourorg to find your devices
Companion blog for #ConnectAround https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-ivanti-policy-secure-gateways
Mandiant and Volexity found it, in the wild.
More info on #ConnectAround from @volexity
- Exploitation dates to at least late 2023
- Chinese nation state actor
Loads of info in the blog.
Obvious point - there will likely be more #ConnectAround victims.
Most orgs don't have the capability to detect suspected zero day exploitation of a VPN and call in Mandiant IR... they probably have Bob The Builder as an MSP and a security budget of 4 twigs.
NCSC UK note on #ConnectAround https://www.ncsc.gov.uk/news/exploitation-ivanti-vulnerabilities
Nothing new. #threatintel
Organisations are encouraged to take immediate action to mitigate vulnerabilities affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) gateways (CVE-2023-46805 and CVE-2024-21887), and follow the latest vendor advice.
The finders of #ConnectAround have updated their blog to say 1700 orgs have been compromised, not less than 10 https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/
If you use Pulse Secure, you probably want to find an IR firm.
On January 10, 2024, Volexity publicly shared details of targeted attacks by UTA00178 exploiting two zero-day vulnerabilities (CVE-2024-21887 and CVE-2023-46805) in Ivanti Connect Secure (ICS) VPN appliances. On the same day, Ivanti published a mitigation that could be applied to ICS VPN appliances to prevent exploitation of these vulnerabilities. Since publication of these details, Volexity has continued to monitor its existing customers for exploitation. Volexity has also been contacted by multiple organizations that saw signs of compromise by way of mismatched file detections. Volexity has been actively working multiple new cases of organizations with compromised ICS VPN appliances.
If you use the Ivanti integrity checking tool, the results it gives are encrypted and can only be read by Ivanti support.
Since there are thousands of #ConnectAround victims, this doesn’t scale. To compensate you can decrypt the results yourself now: https://gist.github.com/rxwx/03a036d8982c9a3cead0c053cf334605 HT @buffaloverflow
Complete exploitation info for #ConnectAround is now public. https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805
It’s a chaotic mix of ../../ directory traversal and open APIs… if you haven’t applied the mitigations you’re going to have a really bad time as ransomware groups will jump on the train soon. #threatintel
Palo-Alto are tracking 30k boxes exposed to #ConnectAround
https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2023-46805-cve-2024-21887/
Amazing - first mass spraying of #ConnectAround by notChina and they’re delivering.. coin miners. 🤣🤣🤣
Attached: 1 image We're seeing more than just scanning for the recent pair of Ivanti Connect Secure vulnerabilities (CVE-2023-46805 and CVE-2024-21887) - we're seeing real exploitation attempts - this one installs a Bitcoin miner! Patch your hosts ASAP!
I strongly suspect there are a whole bunch of large orgs running incidents for #ConnectAround now.
Why? Pulse Secure boxes which didn't have the mitigation supplied have stopped responding totally for over a day.. when Shodan history shows they've been running on same IP for years.
Latest #ConnectAround issue - there’s no patch, and the mitigation silently fails to work if an admin makes a config change elsewhere.
If you run Pulse Secure I’d suggest being very cautious.
Latest on #ConnectAround - the vendor promised patches weeks later, but hasn’t been hitting its own milestones to release said patches.
https://www.securityweek.com/ivanti-struggling-to-hit-zero-day-patch-release-schedule/
More hilarity on #ConnectAround - there’s now two NEW vulnerabilities in Ivanti Pulse Secure, being actively exploited as zero days too - no patches for many versions.
Updated advisory with updated mitigations you need to reapply:
https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
CVEs: CVE-2024-21893 and CVE-2024-21888
CERT advisory: https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-205101-1032.pdf?__blob=publicationFile&v=2
Ivanti recommend you factory reset your devices in their advisory.
HT @fthy
@barubary @GossiTheDog I'm pretty sure it's 2000.
@GossiTheDog @buffaloverflow IIRC, this is actually how mitre used to ask people to do it ages past, though it's been a few years since that was changed (with the cve.org split I think?).
Which seems crazy but I think they were just aiming to get companies to buy in.
@dezz @GossiTheDog @buffaloverflow
I think it only produces a file if it finds mismatched files or an issue?
@GossiTheDog No response from our critical infrastructure guys.
Meanwhile, the boss said that she'll inform DANS (a state security agency here; something like a combination of the FBI and the NSA; deals with cyber crimes and other stuff too) and scolded me for trying to contact the vulnerable company.
Apparently, this is not safe to do here. According to her, another colleague did that once - reported a vulnerability to a company that had vulnerable machines - and the company sent him a couple of bouncers to "discourage him form poking our computers". I kid you not.
@GossiTheDog Are you using the watchTowr Labs method?
I used that to scan the machine at our critical infrastructure company. Not only is the machine indeed vulnerable but it also has an SSL certificate that has expired 101 days ago, which means that literally nobody is paying attention to it.
No wonder my e-mail went unanswered...
@GossiTheDog I get at least 5 twigs, and sometimes a pile of dirt!
You're so rude.
Kevin Beaumont
Will
Dan M
Erik Ableson
Will Dormann
MyCoworker
zaicurity
meriksson
VessOnSecurity
NosirrahSec 🏴☠️ guillotine enthusiast
James_inthe_box
Joseph
Oriel Jutty 
Dr. Christopher Kunz
RecklessPush38671
Fennix 
Jonas Köritz
OnlyMe
Rich Warren
Wombatadon
thepwnicorn
Steve Castellarin
Random Damage 🌻
Fellows