Kevin BeaumontJan 10, 2024

⚠️ want a highly impactful, actively exploited border gateway zero days situation to wake you up?

Ivanti Pulse Secure aka Ivanti Connect Secure and Ivanti Policy Secure Gateway customers - prepare to deploy mitigations and await follow on patches.

In the wild exploitation, probable nation state - includes authentication (including MFA) bypass and code execution.

Looks like Ivanti have done a really good job identifying.

I call it ConnectAround. #threatintel #connectaround

Show threadKevin BeaumontJan 10, 2024
It's really widely used in enterprise space and government, so I would suggest it's one to get skates on and may need a bunch of compromise assessments at larger orgs.
Show threadKevin BeaumontJan 10, 2024
Mitigation info going out to customers for #connectaround https://excelsior.furytech.net/notes/9obnexk1xc519bcm
Will (@thegpfury)

@[email protected] They just sent out a blast with a mitigation.

Excelsior!
Show threadKevin BeaumontJan 10, 2024

Here is a public advisory for #ConnectAround, two actively exploited zero days in Ivanti Connect Secure aka Ivanti Pulse Secure
https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

HT @KyanHexagon @benmontour

#threatintel

Ivanti Community

Show threadKevin BeaumontJan 10, 2024

A Shodan search for #ConnectAround

html:"welcome.cgi?p=logo"

https://beta.shodan.io/search?query=html%3A%22welcome.cgi%3Fp%3Dlogo%22

Combine it with ssl:yourorg or org:yourorg to find your devices

Show threadVessOnSecurity
@GossiTheDog I just checked Bulgaria's exposure to this and there are just a handful - but, holly fuck, one of them is critical infrastructure (the power grid).
Jan 10, 2024 at 8:38pmWeb