⚠️ want a highly impactful, actively exploited border gateway zero days situation to wake you up?
Ivanti Pulse Secure aka Ivanti Connect Secure and Ivanti Policy Secure Gateway customers - prepare to deploy mitigations and await follow on patches.
In the wild exploitation, probable nation state - includes authentication (including MFA) bypass and code execution.
Looks like Ivanti have done a really good job identifying.
I call it ConnectAround. #threatintel #connectaround
Here is a public advisory for #ConnectAround, two actively exploited zero days in Ivanti Connect Secure aka Ivanti Pulse Secure
https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
A Shodan search for #ConnectAround
html:"welcome.cgi?p=logo"
https://beta.shodan.io/search?query=html%3A%22welcome.cgi%3Fp%3Dlogo%22
Combine it with ssl:yourorg or org:yourorg to find your devices
Companion blog for #ConnectAround https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-ivanti-policy-secure-gateways
Mandiant and Volexity found it, in the wild.
More info on #ConnectAround from @volexity
- Exploitation dates to at least late 2023
- Chinese nation state actor
Loads of info in the blog.
Obvious point - there will likely be more #ConnectAround victims.
Most orgs don't have the capability to detect suspected zero day exploitation of a VPN and call in Mandiant IR... they probably have Bob The Builder as an MSP and a security budget of 4 twigs.
NCSC UK note on #ConnectAround https://www.ncsc.gov.uk/news/exploitation-ivanti-vulnerabilities
Nothing new. #threatintel
Organisations are encouraged to take immediate action to mitigate vulnerabilities affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) gateways (CVE-2023-46805 and CVE-2024-21887), and follow the latest vendor advice.
The finders of #ConnectAround have updated their blog to say 1700 orgs have been compromised, not less than 10 https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/
If you use Pulse Secure, you probably want to find an IR firm.
On January 10, 2024, Volexity publicly shared details of targeted attacks by UTA00178 exploiting two zero-day vulnerabilities (CVE-2024-21887 and CVE-2023-46805) in Ivanti Connect Secure (ICS) VPN appliances. On the same day, Ivanti published a mitigation that could be applied to ICS VPN appliances to prevent exploitation of these vulnerabilities. Since publication of these details, Volexity has continued to monitor its existing customers for exploitation. Volexity has also been contacted by multiple organizations that saw signs of compromise by way of mismatched file detections. Volexity has been actively working multiple new cases of organizations with compromised ICS VPN appliances.
If you use the Ivanti integrity checking tool, the results it gives are encrypted and can only be read by Ivanti support.
Since there are thousands of #ConnectAround victims, this doesn’t scale. To compensate you can decrypt the results yourself now: https://gist.github.com/rxwx/03a036d8982c9a3cead0c053cf334605 HT @buffaloverflow
Here is a public advisory for #ConnectAround, two actively exploited zero days in Ivanti Connect Secure aka Ivanti Pulse Secure
https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
A Shodan search for #ConnectAround
html:"welcome.cgi?p=logo"
https://beta.shodan.io/search?query=html%3A%22welcome.cgi%3Fp%3Dlogo%22
Combine it with ssl:yourorg or org:yourorg to find your devices
Companion blog for #ConnectAround https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-ivanti-policy-secure-gateways
Mandiant and Volexity found it, in the wild.
More info on #ConnectAround from @volexity
- Exploitation dates to at least late 2023
- Chinese nation state actor
Loads of info in the blog.
Obvious point - there will likely be more #ConnectAround victims.
Most orgs don't have the capability to detect suspected zero day exploitation of a VPN and call in Mandiant IR... they probably have Bob The Builder as an MSP and a security budget of 4 twigs.
NCSC UK note on #ConnectAround https://www.ncsc.gov.uk/news/exploitation-ivanti-vulnerabilities
Nothing new. #threatintel
Organisations are encouraged to take immediate action to mitigate vulnerabilities affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) gateways (CVE-2023-46805 and CVE-2024-21887), and follow the latest vendor advice.
The finders of #ConnectAround have updated their blog to say 1700 orgs have been compromised, not less than 10 https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/
If you use Pulse Secure, you probably want to find an IR firm.
On January 10, 2024, Volexity publicly shared details of targeted attacks by UTA00178 exploiting two zero-day vulnerabilities (CVE-2024-21887 and CVE-2023-46805) in Ivanti Connect Secure (ICS) VPN appliances. On the same day, Ivanti published a mitigation that could be applied to ICS VPN appliances to prevent exploitation of these vulnerabilities. Since publication of these details, Volexity has continued to monitor its existing customers for exploitation. Volexity has also been contacted by multiple organizations that saw signs of compromise by way of mismatched file detections. Volexity has been actively working multiple new cases of organizations with compromised ICS VPN appliances.
If you use the Ivanti integrity checking tool, the results it gives are encrypted and can only be read by Ivanti support.
Since there are thousands of #ConnectAround victims, this doesn’t scale. To compensate you can decrypt the results yourself now: https://gist.github.com/rxwx/03a036d8982c9a3cead0c053cf334605 HT @buffaloverflow
Complete exploitation info for #ConnectAround is now public. https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805
It’s a chaotic mix of ../../ directory traversal and open APIs… if you haven’t applied the mitigations you’re going to have a really bad time as ransomware groups will jump on the train soon. #threatintel
Palo-Alto are tracking 30k boxes exposed to #ConnectAround
https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2023-46805-cve-2024-21887/
Amazing - first mass spraying of #ConnectAround by notChina and they’re delivering.. coin miners. 🤣🤣🤣
Attached: 1 image We're seeing more than just scanning for the recent pair of Ivanti Connect Secure vulnerabilities (CVE-2023-46805 and CVE-2024-21887) - we're seeing real exploitation attempts - this one installs a Bitcoin miner! Patch your hosts ASAP!
@barubary @GossiTheDog I'm pretty sure it's 2000.
@GossiTheDog @buffaloverflow IIRC, this is actually how mitre used to ask people to do it ages past, though it's been a few years since that was changed (with the cve.org split I think?).
Which seems crazy but I think they were just aiming to get companies to buy in.
@dezz @GossiTheDog @buffaloverflow
I think it only produces a file if it finds mismatched files or an issue?
@GossiTheDog No response from our critical infrastructure guys.
Meanwhile, the boss said that she'll inform DANS (a state security agency here; something like a combination of the FBI and the NSA; deals with cyber crimes and other stuff too) and scolded me for trying to contact the vulnerable company.
Apparently, this is not safe to do here. According to her, another colleague did that once - reported a vulnerability to a company that had vulnerable machines - and the company sent him a couple of bouncers to "discourage him form poking our computers". I kid you not.
@GossiTheDog Are you using the watchTowr Labs method?
I used that to scan the machine at our critical infrastructure company. Not only is the machine indeed vulnerable but it also has an SSL certificate that has expired 101 days ago, which means that literally nobody is paying attention to it.
No wonder my e-mail went unanswered...
@GossiTheDog I get at least 5 twigs, and sometimes a pile of dirt!
You're so rude.
"We are unable to discuss the specifics of our customers."
Yeah, but there's nothing stopping them from providing a wealth of general details that wouldn't out the affected customers at all.
@dangoodin @GossiTheDog You'd think after all of us, collectively, in the infosec community roasting every poor response for 10 years+ they'd learn that being SAFELY transparent is always the correct response.
This is a scummy response that taints them even further in my eyes and I will resist using any of their products, services, or anything in the future based on this sort of behavior.
I am not alone in that line of thinking and it may not be a big impact, but it adds up the more people think like I do.
Kevin Beaumont
Rich Warren
TheGift73
Interpipes 💙
Oriel Jutty 
VessOnSecurity
Dr. Christopher Kunz
RecklessPush38671
Fennix 
Jonas Köritz
OnlyMe
Wombatadon
thepwnicorn
Steve Castellarin
Random Damage 🌻
Fellows
NosirrahSec 🏴☠️ guillotine enthusiast
QRSS_Test
Dan Goodin
JP
corbeaucrypto
hhf