Two zero-day vulnerabilities affecting Ivanti’s Connect Secure VPN and Policy Secure network access control (NAC) appliances are now under mass exploitation.
As discovered by threat intelligence company Volexity, which also first spotted the zero-days being used in attacks since December, multiple threat groups chain the CVE-2023-46805 authentication bypass and the CVE-2024-21887 command injection vulnerabilities in widespread attacks starting January 11.
“Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals,” Volexity warned today.
The attackers backdoored their targets’ systems using a GIFTEDVISITOR webshell variant which was found on hundreds of appliances.
“On Sunday, January 14, 2024, Volexity had identified over 1,700 ICS VPN appliances that were compromised with the GIFFEDVISITOR webshell. These appliances appear to have been indiscriminately targeted, with victims all over the world,” Volexity said.
The list of victims discovered by Volexity so far includes government and military departments worldwide, national telecommunications companies, defense contractors, technology companies, banking, finance, and accounting organizations, worldwide consulting outfits, and aerospace, aviation, and engineering firms.
While Ivanti is yet to release patches for these two actively exploited zero-days, admins are advised to apply mitigation measures provided by the vendor on all ICS VPNs on their network.
They should also run Ivanti’s Integrity Checker Tool and consider all data on the ICS VPN appliance (including passwords and any secrets) as compromised if signs of a breach are found, as detailed in the ‘Responding to Compromise’ section of Volexity’s previous blog post.
Threat monitoring service Shadowserver currently tracks more than 16,800 ICS VPN appliances exposed online, almost 5,000 in the United States (Shodan also sees over 15,000 Internet-exposed Ivanti ICS VPNs).
As Ivanti disclosed last week, attackers can run arbitrary commands on all supported versions of ICS VPN and IPS appliances when successfully chaining the two zero days.
Attacks have now escalated from a limited number of customers impacted by attacks exploiting these vulnerabilities, with the suspected Chinese state-backed threat actor (tracked as UTA0178 or UNC5221) now being joined by multiple others.
As Mandiant also revealed on Friday, its security experts found five custom malware strains deployed on breached customers’ systems with the end goal of dropping webshells, additional malicious payloads, and stealing credentials.
The list of tools used in the attacks includes:
- Zipline Passive Backdoor: custom malware that can intercept network traffic, supports upload/download operations, creates reverse shells, proxy servers, server tunneling
- Thinspool Dropper: custom shell script dropper that writes the Lightwire web shell onto Ivanti CS, securing persistence
- Wirefire web shell: custom Python-based web shell supporting unauthenticated arbitrary command execution and payload dropping
- Lightwire web shell: custom Perl web shell embedded in a legitimate file, enabling arbitrary command execution
- PySoxy tunneler: facilitates network traffic tunneling for stealthiness
- BusyBox: multi-call binary combining many Unix utilities used in various system tasks
- Thinspool utility (sessionserver.pl): used to remount the filesystem as ‘read/write’ to enable malware deployment
The most notable is ZIPLINE, a passive backdoor that intercepts incoming network traffic and provides file transfer, reverse shell, tunneling, and proxying capabilities.
Suspected Chinese hacking groups used another ICS zero-day tracked as CVE-2021-22893 two years ago to breach dozens of U.S. and European government, defense, and financial organizations.
Last year, starting in April, two other zero-days (CVE-2023-35078 and CVE-2023-35081) in Ivanti’s Endpoint Manager Mobile (EPMM) were tagged as actively exploited and later reported as being used to breach several Norwegian government organizations.
One month later, hackers started using a third zero-day flaw (CVE-2023-38035) in Ivanti’s Sentry software to bypass API authentication on vulnerable devices in limited and targeted attacks.