Kevin BeaumontJan 10, 2024

⚠️ want a highly impactful, actively exploited border gateway zero days situation to wake you up?

Ivanti Pulse Secure aka Ivanti Connect Secure and Ivanti Policy Secure Gateway customers - prepare to deploy mitigations and await follow on patches.

In the wild exploitation, probable nation state - includes authentication (including MFA) bypass and code execution.

Looks like Ivanti have done a really good job identifying.

I call it ConnectAround. #threatintel #connectaround

Show threadKevin BeaumontJan 10, 2024
It's really widely used in enterprise space and government, so I would suggest it's one to get skates on and may need a bunch of compromise assessments at larger orgs.
Show threadKevin BeaumontJan 10, 2024
Mitigation info going out to customers for #connectaround https://excelsior.furytech.net/notes/9obnexk1xc519bcm
Will (@thegpfury)

@[email protected] They just sent out a blast with a mitigation.

Excelsior!
Show threadKevin BeaumontJan 10, 2024

Here is a public advisory for #ConnectAround, two actively exploited zero days in Ivanti Connect Secure aka Ivanti Pulse Secure
https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

HT @KyanHexagon @benmontour

#threatintel

Ivanti Community

Show threadKevin BeaumontJan 10, 2024

A Shodan search for #ConnectAround

html:"welcome.cgi?p=logo"

https://beta.shodan.io/search?query=html%3A%22welcome.cgi%3Fp%3Dlogo%22

Combine it with ssl:yourorg or org:yourorg to find your devices

Show threadKevin BeaumontJan 10, 2024

Companion blog for #ConnectAround https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-ivanti-policy-secure-gateways

Mandiant and Volexity found it, in the wild.

Security Update for Ivanti Connect Secure and Ivanti Policy Secure Gateways

We have discovered new vulnerabilities in Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure gateways. We are reporting these vulnerabilities as CVE-2023-46805 and CVE-2024-21887.

Show threadKevin BeaumontJan 10, 2024
This is definitely being actively used in the wild - Ivanti have opted to hide that part behind a paywall. Paywall link: https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways
Ivanti Community

Show threadKevin BeaumontJan 10, 2024
Ivanti disclosure flow chart, apparently.
Show threadKevin BeaumontJan 10, 2024

More info on #ConnectAround from @volexity

https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/

- Exploitation dates to at least late 2023
- Chinese nation state actor

Loads of info in the blog.

Show threadKevin BeaumontJan 10, 2024
Another #ConnectAround Shodan search: product:"Pulse Secure"
Show threadKevin BeaumontJan 10, 2024

Obvious point - there will likely be more #ConnectAround victims.

Most orgs don't have the capability to detect suspected zero day exploitation of a VPN and call in Mandiant IR... they probably have Bob The Builder as an MSP and a security budget of 4 twigs.

Show threadNosirrahSec 🏴‍☠️ guillotine enthusiastJan 10, 2024

@GossiTheDog I get at least 5 twigs, and sometimes a pile of dirt!

You're so rude.

Show threadNosirrahSec 🏴‍☠️ guillotine enthusiastJan 10, 2024
@GossiTheDog Sometimes they spit in the dirt to remind me how good I have it for being the only security SME and also doing my standard T3 ops work.
Show threadNosirrahSec 🏴‍☠️ guillotine enthusiast
@GossiTheDog (I am kidding, and love my org so much.)
Jan 10, 2024 at 7:37pmWeb