iTWire - Volexity finds two zero-days being exploited in Ivanti Connect Secure V...
source link: https://itwire.com/business-it-news/security/volexity-finds-two-zero-days-being-exploited-in-ivanti-connect-secure-vpn.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Thursday, 11 January 2024 10:18
Volexity finds two zero-days being exploited in Ivanti Connect Secure VPN Featured
By Sam Varghese
Security firm Volexity says it has discovered active exploitation of two zero-day vulnerabilities in Ivanti Connect Secure VPN, with the two flaws being chained to allow an unauthenticated remote control exploit.
In a detailed blog post, the company said it had discovered the exploitation during the second week of December 2023, through one of its Network Security Monitoring service customers.
Having found suspicious lateral movement, Volexity researchers Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair and Thomas Lancaster wrote closer inspection had found an attacker placing webshells on multiple internal and external-facing Web servers.
"These detections kicked off an incident response investigation across multiple systems that Volexity ultimately tracked back to the organisation's internet-facing Ivanti Connect Secure VPN appliance (formerly known as Pulse Connect Secure, or simply Pulse Secure)," they wrote.
Volexity said analysis of one memory sample it collected uncovered the exploit chain used by the attacker, namely that two different zero-day exploits were being chained together to achieve unauthenticated remote code execution.
Ivanti has issued its own security advisories for the two vulnerabilities and released pre-patch mitigations for the issues. Full patches will be released on a staggered schedule beginning on 22 January.
Mike Walters, president and co-founder of risk-based patch management software vendor Action1, said: "The first vulnerability, CVE-2023-46805, is an authentication bypass vulnerability that allows remote attackers to access restricted resources without proper authorisation.
"The second vulnerability, CVE-2024-21887, is a command injection vulnerability that enables authenticated administrators to execute arbitrary commands on the appliance through specially crafted requests. These vulnerabilities together create a potent attack vector for cybercriminals to gain control of vulnerable systems and execute malicious commands effortlessly."
He said the impact seemed substantial, affecting all supported versions of Ivanti Connect Secure and Ivanti Policy Secure gateways, with more than 15,000 exposed devices online, as reported by Shodan.
"Exploitation can lead to arbitrary command execution, MFA bypass, and potentially full system compromise. Organisations that have not yet applied available mitigations and those lacking proper security measures like firewalls and intrusion detection systems are likely to experience the most severe consequences," Walters added.
In July last year, Ivanti made headlines when it was revealed that the company had initially blocked access to a security advisory about an exploitable zero-day in its Endpoint Manager Mobile software, formerly known as MobileIron Core.
Later the US-based endpoint software management firm apparently had second thoughts and opened up access to the advisory following an inquiry from iTWire.
Walters said both vulnerabilities had already been exploited in the wild, with evidence of threat actors attempting to manipulate Ivanti's Internal Integrity Checker.
"To exacerbate the situation, patches will not be available on a staggered schedule until the week of 22 January, leaving organisations exposed to potential attacks until then," he added.
"It is crucial for organisations to take immediate action by importing the available mitigation release from Ivanti's download portal."
Read 280 times
Please join our community here and become a VIP.
Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here
GARTNER MARKET GUIDE FOR NDR 2022
You probably know that we are big believers in Network Detection and Response (NDR).Did you realise that Gartner also recommends that security teams prioritise NDR solutions to enhance their detection and response?
Picking the right NDR for your team and process can sometimes be the biggest challenge.
If you want to try out a Network Detection and Response tool, why not start with the best?
Vectra Network Detection and Response is the industry's most advanced AI-driven attack defence for identifying and stopping malicious tactics in your network without noise or the need for decryption.
Download the 2022 Gartner Market Guide for Network Detection and Response (NDR) for recommendations on how Network Detection and Response solutions can expand deeper into existing on-premises networks, and new cloud environments.
PROMOTE YOUR WEBINAR ON ITWIRE
It's all about Webinars.Marketing budgets are now focused on Webinars combined with Lead Generation.
If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.
The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.
Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.
We look forward to discussing your campaign goals with you. Please click the button below.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK