Important: If your organization uses Ivanti Connect Secure VPN and you have not applied the mitigation, then please do that immediately! Organizations should immediately review the results of the built-in Integrity Check Tool for log entries indicating mismatched or new files. As of version 9.1R12, Ivanti started providing a built-in Integrity Checker Tool that can be run as a periodic or scheduled scan. Volexity has observed it successfully detecting the compromises described in this post across impacted organizations. Last week, Ivanti also released an updated version of the external Integrity Checker Tool that can be further used to check and verify systems. On January 10, 2024, Volexity publicly shared details of targeted attacks by UTA0178 exploiting two zero-day vulnerabilities (CVE-2024-21887 and CVE-2023-46805) in Ivanti Connect Secure (ICS) VPN appliances. On the same day, Ivanti published a mitigation that could be applied to ICS VPN appliances to prevent exploitation of these […]
Exploits
-
Ivanti Connect Secure VPN Exploitation Goes Global
January 15, 2024
by Cem Gurkok, Paul Rascagneres, Sean Koessel, Steven Adair, Thomas Lancaster
-
Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN
January 10, 2024
by Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair, Thomas Lancaster
Volexity has uncovered active in-the-wild exploitation of two vulnerabilities allowing unauthenticated remote code execution in Ivanti Connect Secure VPN devices. An official security advisory and knowledge base article have been released by Ivanti that includes mitigation that should be applied immediately. However, a mitigation does not remedy a past or ongoing compromise. Systems should simultaneously be thoroughly analyzed per details in this post to look for signs of a breach. During the second week of December 2023, Volexity detected suspicious lateral movement on the network of one of its Network Security Monitoring service customers. Upon closer inspection, Volexity found that an attacker was placing webshells on multiple internal and external-facing web servers. These detections kicked off an incident response investigation across multiple systems that Volexity ultimately tracked back to the organization’s Internet-facing Ivanti Connect Secure (ICS) VPN appliance (formerly known as Pulse Connect Secure, or simply Pulse Secure). A closer inspection […]
-
Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925
August 10, 2022
by Volexity Threat Research
[Note: Volexity has reported all findings in this post to Zimbra. Where an existing contact was known, Volexity has notified local CERTs of compromised Zimbra instances in their constituency. The newest versions of Zimbra are patched for both the RCE vulnerability and authentication bypass vulnerabilities described in this blog.] In July and early August 2022, Volexity worked on multiple incidents where the victim organization experienced serious breaches to their Zimbra Collaboration Suite (ZCS) email servers. Volexity’s investigations uncovered evidence indicating the likely cause of these breaches was exploitation of CVE-2022-27925, a remote-code-execution (RCE) vulnerability in ZCS. This initial CVE was patched by Zimbra in March 2022 in 8.8.15P31 and 9.0.0P24. Figure 1. Description of CVE-2022-27925 from the NIST website Initial research into the vulnerability did not uncover any public exploit code, but since a patch had been available for several months, it was reasonable that exploit code could have been […]
-
Zero-Day Exploitation of Atlassian Confluence
June 2, 2022
by Andrew Case, Sean Koessel, Steven Adair, Thomas Lancaster, Volexity Threat Research
UPDATE: On June 3, 2022, Atlassian updated its security advisory with new information regarding a fix for Confluence Server and Data Center to address CVE-2022-26134. Users are encouraged to update immediately to mitigate their risk. Additional observations after publication of this blog post have been shared here, with guidance on how to verify if you have been impacted by unauthorized access. Over the Memorial Day weekend in the United States, Volexity conducted an incident response investigation involving two Internet-facing web servers belonging to one of its customers that were running Atlassian Confluence Server software. The investigation began after suspicious activity was detected on the hosts, which included JSP webshells being written to disk. Volexity immediately used Volexity Surge Collect Pro to collect system memory and key files from the Confluence Server systems for analysis. After a thorough review of the collected data, Volexity was able to determine the server compromise stemmed from […]
-
North Korean APT InkySquid Infects Victims Using Browser Exploits
August 17, 2021
by Damien Cash, Josh Grunzweig, Matthew Meltzer, Steven Adair, Thomas Lancaster
Volexity recently investigated a strategic web compromise (SWC) of the website of the Daily NK (www.dailynk[.]com), a South Korean online newspaper that focuses on issues relating to North Korea. Malicious code on the Daily NK website was observed from at least late March 2021 until early June 2021. This post provides details on the different exploits used in the SWC, as well as the payload used, which Volexity calls BLUELIGHT. Volexity attributes the activity described in this post to a threat actor Volexity refers to as InkySquid, which broadly corresponds to activity known publicly under the monikers ScarCruft and APT37. SWC Activity In April 2021, through its network security monitoring on a customer network, Volexity identified suspicious code being loaded via www.dailynk[.]com to malicious subdomains of jquery[.]services. Examples of URLs observed loading malicious code include the following: hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1 hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2 These URLs lead to legitimate files used as part of the […]
-
Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
March 2, 2021
by Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster
[UPDATE] March 8, 2021 – Since original publication of this blog, Volexity has now observed that cyber espionage operations using the SSRF vulnerability CVE-2021-26855 started occurring on January 3, 2021, three days earlier than initially posted. Volexity is seeing active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal e-mail and compromise networks. These attacks appear to have started as early as January 6, 2021. In January 2021, through its Network Security Monitoring service, Volexity detected anomalous activity from two of its customers’ Microsoft Exchange servers. Volexity identified a large amount of data being sent to IP addresses it believed were not tied to legitimate users. A closer inspection of the IIS logs from the Exchange servers revealed rather alarming results. The logs showed inbound POST requests to valid files associated with images, JavaScript, cascading style sheets, and fonts used by Outlook Web Access (OWA). It was initially suspected the […]
-
Microsoft Exchange Control Panel (ECP) Vulnerability CVE-2020-0688 Exploited
March 6, 2020
by Volexity Threat Research
On February 11, 2020, as part of Patch Tuesday, Microsoft released cumulative updates and a service pack that addressed a remote code execution vulnerability found in Microsoft Exchange 2010, 2013, 2016, and 2019. The vulnerability was discovered by an anonymous security researcher and reported to Microsoft by way of Trend Micro’s Zero Day Initiative. Two weeks after the security updates were released, the Zero Day Initiative published a blog post providing more details on the vulnerability. The post made it clear that an attacker could exploit a vulnerable Exchange server if the following three criteria were met: The Exchange Server had not been patched since February 11, 2020. The Exchange Control Panel (ECP) interface was accessible to the attacker. The attacker has a working credential that allows them to access the Exchange Control Panel in order to collect the ViewStateKey from the authenticated session cookie as well as the __VIEWSTATEGENERATOR […]
-
Drupalgeddon 2: Profiting from Mass Exploitation
April 16, 2018
by Matthew Meltzer, Steven Adair
On March 28, 2018, a patch for a highly critical vulnerability, which facilitates remote code execution against the Drupal content management system was released. The vulnerability was identified by Jasper Mattson of Druid and is covered by SA-2018-002 and CVE-2018-7600. Prior to the release of the patch, Drupal had given advanced notice of its impending release and potential consequences tied to the ease of the vulnerability’s exploitation. This sparked concerns of a new “Drupalgeddon”, where a large number of unpatched websites would be compromised. This comes on the heels of a major Drupal vulnerability from October 2014 that was widely exploited by advanced persistent threat (APT) actors and criminals that Volexity detailed in a previous blog post title Drupal Vulnerability: Mass Scans & Targeted Exploitation. In a post dated April 13, 2018, the Drupal team stated the following: The security team is now aware of automated attacks attempting to compromise Drupal […]
-
Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence
October 7, 2015
by Volexity
In the world of information security, there is never a dull moment. Part of the fun of working in this space is that you always get to see attackers do something new or put a new spin on something old. Last month at the CERT-EU Conference in Brussels, Belgium, Volexity gave a presentation on a recent evolution in how attackers are maintaining persistence within victim networks. The method, which involves modifying the login pages to Cisco Clientless SSL VPNs (Web VPN), is both novel and surprisingly obvious at the same time. Attackers have been able to successfully implant JavaScript code on the login pages that enables them to surreptitiously steal employee credentials as they login to access internal corporate resources. Whether you are proactively monitoring your network or reactively undergoing an incident response, one of the last places you might examine for backdoors are your firewalls and VPN gateway appliances. […]
-
APT Group Wekby Leveraging Adobe Flash Exploit (CVE-2015-5119)
July 8, 2015
by Volexity
As if the recent breach and subsequent public data dump involving the Italian company Hacking Team wasn’t bad enough, it all gets just a little bit worse. Emerging from the bowels of Hacking Team data dump was a Flash 0-day exploit (CVE-2015-5119) that was just patched today by Adobe as covered in APSB15-16. The exploit has since been added into the Angler Exploit Kit and integrated into Metasploit. However, not to be out done, APT attackers have also started leveraging the exploit in targeted spear phishing attacks as well. Before we start dishing the details, there is going to be one main takeaway from this blog post: If you haven’t already, update/patch your Adobe Flash now. Spear Phishing This morning, a well known APT threat group, often referred to as Wekby, kicked off a rather ironic spear phishing campaign. The attackers launched spoofed e-mail messages purporting to be from Adobe. […]