Five Eyes Warn of Ivanti Vulnerabilities Exploitation

Read more on Ivanti vulnerabilities:

Eight government agencies from the Five Eyes countries (Australia, Canada, New Zealand, the UK, and the US) issued an urgent warning on February 29 about the active exploitation of Ivanti product vulnerabilities.

Specifically, the joint advisory assessed that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways.

The vulnerabilities identified as actively exploited by threat actors are the following:

These vulnerabilities impact all supported versions (9.x and 22.x) of Ivanti gateways.

Their severity ratings range from high to critical. They can be used in a chain of exploits to enable malicious cyber threat actors to bypass authentication, craft malicious requests and execute arbitrary commands with elevated privileges.

These are three of five vulnerabilities discovered in Ivanti’s product since January 2024.

Ivanti Compromise Detection Tools Fail

In their joint advisory, the Five Eyes agencies also note that cyber threat actors can deceive Ivanti’s internal and external Integrity Checker Tool (ICT), resulting in a failure to detect compromise.

“During multiple incident response engagements associated with this activity, CISA identified that Ivanti’s internal and previous external ICT failed to detect compromise.

“In addition, CISA has conducted independent research in a lab environment validating that the Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets,” reads the advisory.

Five Eyes’ Mitigation Recommendations

The agencies provided a set of actions for all users of Ivanti gateways to take:

  1. Assume that user and service account credentials stored within the affected Ivanti VPN appliances are likely compromised
  2. Hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory
  3. Run Ivanti’s most recent external ICT
  4. Apply available patching guidance provided by Ivanti as version updates become available
  5. If a potential compromise is detected, collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory

“The authoring organizations strongly urge all organizations to consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment,” the document insisted.

The joint advisory was issued by the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), the UK National Cyber Security Centre (NCSC-UK), the Canadian Centre for Cyber Security (Cyber Centre), the Australian Cyber Security Centre (ACSC), the New Zealand National Cyber Security Centre (NCSC-NZ), the CERT-New Zealand (CERT NZ) and the Multi-State Information Sharing & Analysis Center (MS-ISAC).

These agencies received the support of Volexity, Ivanti, Mandiant and other industry partners.


Credit: Source link

Comments are closed.