Ivanti has finally begun patching a pair of zero-day security vulnerabilities disclosed on January 10 in its Connect Secure VPN equipment. However, today it also announced two additional bugs in the platform, CVE-2024-21888 and CVE-2024-21893, the latter of which is also under active exploitation in the wild.
Ivanti has released the first set of patches for the original set of zero days (CVE-2024-21887 and CVE-2023-46805) but only for some versions; additional fixes will be rolled out on a staggered schedule over the next few weeks, the company said in its updated advisory today. Meanwhile, Ivanti has provided a mitigation that unpatched organizations should apply immediately to avoid falling victim mass exploitation by Chinese state-sponsored actors and similarly motivated cyber criminals.
Numerous custom malware anchor data theft attacks
That exploitation continues unabated. According to Mandiant, a China-backed advanced persistent threat (APT) calling UNC5221 has been behind a series of exploits dating back to early December. But overall activity has increased considerably since CVE-2024-21888 and CVE-2024-21893 were made public in early January.
“In addition to UNC5221, we recognize the possibility that one or more related groups may be associated with the activity,” Mandiant researchers said in an analysis of Ivanti’s cyberattacks released today. “It is likely that groups other than UNC5221 have adopted one or more of these [the] tools [associated with the compromises].”
At that point, Mandiant released more information about the types of malware that UNC5221 and other actors use in attacks on Ivanti Connect Secure VPNs. So far, plants observed in nature include:
-
A variant of the LightWire web shell that plugs into a legitimate VPN gateway component, now featuring a different obfuscation routine.
-
Two UNC5221 custom web shells, called “ChainLine” and “FrameSting”, which are backdoors built into the Ivanti Connect Secure Python packages that allow execution of arbitrary commands.
-
ZipLine, a passive backdoor used by UNC5221 that uses a custom, encrypted protocol to establish command and control (C2) communications. Its functions include file uploading and downloading, reverse shell, proxy server, and a tunneling server.
-
New variants of the WarpWire credential-stealing malware, which steals plain-text passwords and usernames for exfiltration on a hardcoded C2 server. Mandiant does not attribute all variants to UNC5221.
-
And multiple open source tools to support post-exploitation activities such as internal network reconnaissance, lateral movement, and data exfiltration within a limited number of victim environments.
“UNC5221 nation-state actors have successfully targeted and exploited Ivanti vulnerabilities to steal configuration data, modify existing files, download remote files, and reverse tunnel within networks,” says Ken Dunham, director of cyber threats at Qualys Threat Research Unit, which warns Ivanti users should be on the lookout for supply chain attacks on their customers, partners and suppliers. “Ivanti will probably be targeted due to [to] the functionality and architecture it provides to actors, if compromised, as a networking and VPN solution, in downstream networks and targets of interest.”
In addition to these tools, Mandiant researchers have reported activity using a bypass for Ivanti’s initial buffer mitigation technique, detailed in the original advisory; in these attacks, unknown cyber attackers are deploying a customized cyber espionage web shell called “Bushwalk,” which can read or write files on a server.
“The activity is highly targeted, limited, and is distinct from post-alert mass exploitation activity,” according to the researchers, who also provided broad indicators of compromise (IoC) for defenders and the YARA rules.
Ivanti and CISA have released updated mitigation guidance yesterday that organizations should apply.
Two new high-severity zero-day bugs
In addition to rolling out patches for the three-week-old bugs, Ivanti also added fixes for two new CVEs to the same advisory. I am:
-
CVE-2024-21888 (CVSS Score: 8.8): A privilege escalation vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure, which allows attackers to gain administrator privileges.
-
CVE-2024-21893 (CVSS Score: 8.2): A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA, which allows attackers to access “certain resources limited without authentication”.
Only exploits related to the latter have been circulating in the wild, and the activity “appears to be targeted,” according to the Ivanti consultant, but added that organizations should “expect a sharp increase in exploitation once this information becomes public – similar to what we observed on January 11 following the January 10 disclosure.”
Qualys TRU’s Dunham says he expects attacks not only from APT: “Many actors are taking advantage of opportunities to exploit vulnerabilities before organizations patch and harden themselves against attacks. Ivanti is being weaponized by state actors and now likely also by others: should draw your attention and priority to the patch if you are using vulnerable versions in production.”
The researchers also warn that the outcome of a compromise can be dangerous for organizations.
“These [new] Ivanti’s high security flaws are serious [and particularly valuable for attackers]and should be patched immediately,” says Patrick Tiquet, vice president of security and architecture at Keeper Security. “These vulnerabilities, if exploited, can grant unauthorized access to sensitive systems and compromise an entire network.”