In a recent series of blog posts related to two zero-day vulnerabilities in Ivanti Connect Secure VPN, Volexity shared details of active in-the-wild exploitation; provided an update on how exploitation had gone worldwide; and reported observations of how malware and modifications to the built-in Integrity Checker Tool were used to evade detection. A critical piece of Volexity’s initial investigation involved collecting and analyzing a memory sample. As noted in the first blog post of the three-part series (emphasis added): “…Volexity analyzed one of the collected memory samples and uncovered the exploit chain used by the attacker. Volexity discovered two different zero-day exploits which were being chained together to achieve unauthenticated remote code execution (RCE). Through forensic analysis of the memory sample, Volexity was able to recreate two proof-of-concept exploits that allowed full unauthenticated command execution on the ICS VPN appliance.” Collect & Analyze Memory ASAP Volexity regularly prioritizes memory forensics […]
VPN
-
How Memory Forensics Revealed Exploitation of Ivanti Connect Secure VPN Zero-Day Vulnerabilities
February 1, 2024
by Andrew Case, Michael Hale Ligh, Volexity Volcano Team
-
Ivanti Connect Secure VPN Exploitation: New Observations
January 18, 2024
by Matthew Meltzer, Sean Koessel, Steven Adair
On January 15, 2024, Volexity detailed widespread exploitation of Ivanti Connect Secure VPN vulnerabilities CVE-2024-21887 and CVE-2023-46805. In that blog post, Volexity detailed broader scanning and exploitation by threat actors using still non-public exploits to compromise numerous devices. The following day, January 16, 2024, proof-of-concept code for the exploit was made public. Subsequently, Volexity has observed an increase in attacks from various threat actors against Ivanti Connect Secure VPN appliances beginning the same day. Additionally, Volexity has continued its investigation into activity conducted by UTA0178 and made a few notable discoveries. The first relates to the GIFTEDVISITOR webshell that Volexity scanned for, which led to the initial discovery of over 1,700 compromised Ivanti Connect Secure VPN devices. On January 16, 2024, Volexity conducted a new scan for this backdoor and found an additional 368 compromised Ivanti Connect Secure VPN appliances, bringing the total count of systems infected by GIFTEDVISITOR to […]
-
Ivanti Connect Secure VPN Exploitation Goes Global
January 15, 2024
by Cem Gurkok, Paul Rascagneres, Sean Koessel, Steven Adair, Thomas Lancaster
Important: If your organization uses Ivanti Connect Secure VPN and you have not applied the mitigation, then please do that immediately! Organizations should immediately review the results of the built-in Integrity Check Tool for log entries indicating mismatched or new files. As of version 9.1R12, Ivanti started providing a built-in Integrity Checker Tool that can be run as a periodic or scheduled scan. Volexity has observed it successfully detecting the compromises described in this post across impacted organizations. Last week, Ivanti also released an updated version of the external Integrity Checker Tool that can be further used to check and verify systems. On January 10, 2024, Volexity publicly shared details of targeted attacks by UTA0178 exploiting two zero-day vulnerabilities (CVE-2024-21887 and CVE-2023-46805) in Ivanti Connect Secure (ICS) VPN appliances. On the same day, Ivanti published a mitigation that could be applied to ICS VPN appliances to prevent exploitation of these […]
-
Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN
January 10, 2024
by Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair, Thomas Lancaster
Volexity has uncovered active in-the-wild exploitation of two vulnerabilities allowing unauthenticated remote code execution in Ivanti Connect Secure VPN devices. An official security advisory and knowledge base article have been released by Ivanti that includes mitigation that should be applied immediately. However, a mitigation does not remedy a past or ongoing compromise. Systems should simultaneously be thoroughly analyzed per details in this post to look for signs of a breach. During the second week of December 2023, Volexity detected suspicious lateral movement on the network of one of its Network Security Monitoring service customers. Upon closer inspection, Volexity found that an attacker was placing webshells on multiple internal and external-facing web servers. These detections kicked off an incident response investigation across multiple systems that Volexity ultimately tracked back to the organization’s Internet-facing Ivanti Connect Secure (ICS) VPN appliance (formerly known as Pulse Connect Secure, or simply Pulse Secure). A closer inspection […]
-
Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence
October 7, 2015
by Volexity
In the world of information security, there is never a dull moment. Part of the fun of working in this space is that you always get to see attackers do something new or put a new spin on something old. Last month at the CERT-EU Conference in Brussels, Belgium, Volexity gave a presentation on a recent evolution in how attackers are maintaining persistence within victim networks. The method, which involves modifying the login pages to Cisco Clientless SSL VPNs (Web VPN), is both novel and surprisingly obvious at the same time. Attackers have been able to successfully implant JavaScript code on the login pages that enables them to surreptitiously steal employee credentials as they login to access internal corporate resources. Whether you are proactively monitoring your network or reactively undergoing an incident response, one of the last places you might examine for backdoors are your firewalls and VPN gateway appliances. […]