⚠️ want a highly impactful, actively exploited border gateway zero days situation to wake you up?
Ivanti Pulse Secure aka Ivanti Connect Secure and Ivanti Policy Secure Gateway customers - prepare to deploy mitigations and await follow on patches.
In the wild exploitation, probable nation state - includes authentication (including MFA) bypass and code execution.
Looks like Ivanti have done a really good job identifying.
I call it ConnectAround. #threatintel #connectaround
Here is a public advisory for #ConnectAround, two actively exploited zero days in Ivanti Connect Secure aka Ivanti Pulse Secure
https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
A Shodan search for #ConnectAround
html:"welcome.cgi?p=logo"
https://beta.shodan.io/search?query=html%3A%22welcome.cgi%3Fp%3Dlogo%22
Combine it with ssl:yourorg or org:yourorg to find your devices
Companion blog for #ConnectAround https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-ivanti-policy-secure-gateways
Mandiant and Volexity found it, in the wild.
More info on #ConnectAround from @volexity
- Exploitation dates to at least late 2023
- Chinese nation state actor
Loads of info in the blog.
Obvious point - there will likely be more #ConnectAround victims.
Most orgs don't have the capability to detect suspected zero day exploitation of a VPN and call in Mandiant IR... they probably have Bob The Builder as an MSP and a security budget of 4 twigs.
NCSC UK note on #ConnectAround https://www.ncsc.gov.uk/news/exploitation-ivanti-vulnerabilities
Nothing new. #threatintel
Organisations are encouraged to take immediate action to mitigate vulnerabilities affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) gateways (CVE-2023-46805 and CVE-2024-21887), and follow the latest vendor advice.
The finders of #ConnectAround have updated their blog to say 1700 orgs have been compromised, not less than 10 https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/
If you use Pulse Secure, you probably want to find an IR firm.
On January 10, 2024, Volexity publicly shared details of targeted attacks by UTA00178 exploiting two zero-day vulnerabilities (CVE-2024-21887 and CVE-2023-46805) in Ivanti Connect Secure (ICS) VPN appliances. On the same day, Ivanti published a mitigation that could be applied to ICS VPN appliances to prevent exploitation of these vulnerabilities. Since publication of these details, Volexity has continued to monitor its existing customers for exploitation. Volexity has also been contacted by multiple organizations that saw signs of compromise by way of mismatched file detections. Volexity has been actively working multiple new cases of organizations with compromised ICS VPN appliances.
If you use the Ivanti integrity checking tool, the results it gives are encrypted and can only be read by Ivanti support.
Since there are thousands of #ConnectAround victims, this doesn’t scale. To compensate you can decrypt the results yourself now: https://gist.github.com/rxwx/03a036d8982c9a3cead0c053cf334605 HT @buffaloverflow
Kevin Beaumont
Rich Warren
TheGift73
Interpipes 💙