⚠️ want a highly impactful, actively exploited border gateway zero days situation to wake you up?
Ivanti Pulse Secure aka Ivanti Connect Secure and Ivanti Policy Secure Gateway customers - prepare to deploy mitigations and await follow on patches.
In the wild exploitation, probable nation state - includes authentication (including MFA) bypass and code execution.
Looks like Ivanti have done a really good job identifying.
I call it ConnectAround. #threatintel #connectaround
Here is a public advisory for #ConnectAround, two actively exploited zero days in Ivanti Connect Secure aka Ivanti Pulse Secure
https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
A Shodan search for #ConnectAround
html:"welcome.cgi?p=logo"
https://beta.shodan.io/search?query=html%3A%22welcome.cgi%3Fp%3Dlogo%22
Combine it with ssl:yourorg or org:yourorg to find your devices
Companion blog for #ConnectAround https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-ivanti-policy-secure-gateways
Mandiant and Volexity found it, in the wild.
More info on #ConnectAround from @volexity
- Exploitation dates to at least late 2023
- Chinese nation state actor
Loads of info in the blog.
Obvious point - there will likely be more #ConnectAround victims.
Most orgs don't have the capability to detect suspected zero day exploitation of a VPN and call in Mandiant IR... they probably have Bob The Builder as an MSP and a security budget of 4 twigs.
NCSC UK note on #ConnectAround https://www.ncsc.gov.uk/news/exploitation-ivanti-vulnerabilities
Nothing new. #threatintel
Organisations are encouraged to take immediate action to mitigate vulnerabilities affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) gateways (CVE-2023-46805 and CVE-2024-21887), and follow the latest vendor advice.
The finders of #ConnectAround have updated their blog to say 1700 orgs have been compromised, not less than 10 https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/
If you use Pulse Secure, you probably want to find an IR firm.
On January 10, 2024, Volexity publicly shared details of targeted attacks by UTA00178 exploiting two zero-day vulnerabilities (CVE-2024-21887 and CVE-2023-46805) in Ivanti Connect Secure (ICS) VPN appliances. On the same day, Ivanti published a mitigation that could be applied to ICS VPN appliances to prevent exploitation of these vulnerabilities. Since publication of these details, Volexity has continued to monitor its existing customers for exploitation. Volexity has also been contacted by multiple organizations that saw signs of compromise by way of mismatched file detections. Volexity has been actively working multiple new cases of organizations with compromised ICS VPN appliances.
If you use the Ivanti integrity checking tool, the results it gives are encrypted and can only be read by Ivanti support.
Since there are thousands of #ConnectAround victims, this doesn’t scale. To compensate you can decrypt the results yourself now: https://gist.github.com/rxwx/03a036d8982c9a3cead0c053cf334605 HT @buffaloverflow
Complete exploitation info for #ConnectAround is now public. https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805
It’s a chaotic mix of ../../ directory traversal and open APIs… if you haven’t applied the mitigations you’re going to have a really bad time as ransomware groups will jump on the train soon. #threatintel
Palo-Alto are tracking 30k boxes exposed to #ConnectAround
https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2023-46805-cve-2024-21887/
Amazing - first mass spraying of #ConnectAround by notChina and they’re delivering.. coin miners. 🤣🤣🤣
Attached: 1 image We're seeing more than just scanning for the recent pair of Ivanti Connect Secure vulnerabilities (CVE-2023-46805 and CVE-2024-21887) - we're seeing real exploitation attempts - this one installs a Bitcoin miner! Patch your hosts ASAP!
I strongly suspect there are a whole bunch of large orgs running incidents for #ConnectAround now.
Why? Pulse Secure boxes which didn't have the mitigation supplied have stopped responding totally for over a day.. when Shodan history shows they've been running on same IP for years.
Latest #ConnectAround issue - there’s no patch, and the mitigation silently fails to work if an admin makes a config change elsewhere.
If you run Pulse Secure I’d suggest being very cautious.
Latest on #ConnectAround - the vendor promised patches weeks later, but hasn’t been hitting its own milestones to release said patches.
https://www.securityweek.com/ivanti-struggling-to-hit-zero-day-patch-release-schedule/
More hilarity on #ConnectAround - there’s now two NEW vulnerabilities in Ivanti Pulse Secure, being actively exploited as zero days too - no patches for many versions.
Updated advisory with updated mitigations you need to reapply:
https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
CVEs: CVE-2024-21893 and CVE-2024-21888
CERT advisory: https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-205101-1032.pdf?__blob=publicationFile&v=2
Ivanti recommend you factory reset your devices in their advisory.
HT @fthy
CISA re #ConnectAround "As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks."
https://www.securityweek.com/cisa-sets-48-hour-deadline-for-removal-of-insecure-ivanti-products/
Here is the latest mitigation for #ConnectAround visualised by @wdormann, if you want to know how the US Government is getting comprehensively owned again.
Spoiler: ../.. cyber mega threat. #threatintel
844 IPs exploiting #ConnectAround and their payloads https://gist.github.com/andrew-morris/7679a18ef815068897bf27bf631f2ede
The deadline has now passed for US federal government agencies to disconnect all Ivanti Pulse Secure systems from their networks. (Not all have, btw).
More soon on why the USG have told people to kill the product. It’s bad.
3 months since #ConnectAround vulns in Ivanti Pulse Connect
Ivanti have announced they plan to radically change how they work to reposition around customer security: https://www.ivanti.com/blog/our-commitment-to-security-an-open-letter-from-ivanti-ceo-jeff-abbott
It’s a good move. I just went back and looked at my Ivanti Pulse Connect internet survey and re-ran it - it looks like about 10% of systems no longer run that product. It’s both the right thing by customers and a smart business move to try to stop the bleeding.
@GossiTheDog Same day they announce 4 new Ivanti Connect Secure/Ivanti Policy Secure vulnerabilities: 🔗 https://forums.ivanti.com/s/article/SA-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways
emoji for@wdormann @GossiTheDog @fthy so when “reset to factory defaults before patching” is NOT the full solution do we just remediate with Fire 🔥?
I mean the new ‘mitigation’ XML that affects SAML auth should have minimal user experience impact, right?
@pejacoby @GossiTheDog @fthy
I wouldn't be surprised if SAML is broken when the mitigation XML is applied.
Regarding factory reset, or any wanted-to-be-trusted activity, there needs to be some sort of root of trust. If you're asking a maybe-compromised thing to do a thing and you need to trust the results, that's a fundamentally flawed design.
@barubary @GossiTheDog I'm pretty sure it's 2000.
@GossiTheDog @buffaloverflow IIRC, this is actually how mitre used to ask people to do it ages past, though it's been a few years since that was changed (with the cve.org split I think?).
Which seems crazy but I think they were just aiming to get companies to buy in.
@dezz @GossiTheDog @buffaloverflow
I think it only produces a file if it finds mismatched files or an issue?
Kevin Beaumont
Not Simon
Brian Clark
VessOnSecurity
Moved to @GalacticJew@t51b.org
Chibani
gmmds
mertz_james
Mast3rcraft22
thepwnicorn
Anthropy
pmelon
Will
Dan M
Erik Ableson
Mr. Bitterness
pejacoby
MyCoworker
zaicurity
meriksson
NosirrahSec 🏴☠️ guillotine enthusiast
James_inthe_box
Joseph
Oriel Jutty 
Dr. Christopher Kunz
RecklessPush38671
Fennix 
Jonas Köritz
OnlyMe