Ivanti Connect Secure VPN Appliance Vulnerabilities (CVE-2023-46805 & CVE-2024-21887) Exploited to Deploy Webshells, Collect Credentials, and Perform Reconnaissance

By Adversary Tactics and Intelligence Team

Estimated Reading Time: 7 minutes

Source Material: Volexity
Targeted Industries: All

What You Need to Know

Two vulnerabilities (CVE-2023-46805 & CVE-2024-21887) in Ivanti Connect Secure (ICS, formerly Pulse Connect Secure and Ivanti Policy Secure gateways) have been exploited. These vulnerabilities impact all supported versions – Version 9.x and 22.x. Chaining CVE-2024-21887 with CVE-2023-46805 does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.

CVE-2023-46805 is an authentication bypass vulnerability in the web component that allows an attacker to access restricted resources by bypassing control checks. CVE-2024-21887 is a command injection vulnerability in the web component, which can allow an authenticated administrator to send crafted requests to execute code on affected appliances.

In one known exploitation event, the threat actors placed webshells on multiple internal and external-facing web servers. The threat actors also dropped multiple malicious files on the compromised Ivanti Connect Secure VPN appliance. It is also believed that the threat actor created and executed a number of files from the system’s/tmp/ directory.

While the actors essentially used living-off-the-land techniques, they also deployed a handful of malware files and tools during the incident, primarily consisting of web shells, proxy utilities, and file modifications to allow credential harvesting. The threat actors established a proxy network using reverse SOCKS proxy and SSH tunnel connections back through compromised Cyberoam appliances and downloaded tooling from a compromised Cyberoam appliance.

Analyst Note: In 2014, Sophos acquired Cyberoam Technologies. Beginning in 2019, an End of Sales (EoS) announcement was made to begin the End of Life (EoL) process, during which Cyberoam was no longer available for purchase, but was still supported. The product has now officially entered the EOL stage, and the Cyberoam solution has officially migrated to Sophos Firewall. Due to when Cyberoam entered its EOL, it’s not clear if these compromised devices are EOL Cyberoam appliances or Sophos Firewall. 

Once the threat actors had access to the network via the exploitation of the Ivanti Connect Secure VPN appliance, their general approach was to pivot from system to system using compromised credentials. They would then further compromise users’ credentials on any new system breached and use these credentials to log into additional systems via RDP.

To gain access to user credentials, the threat actor modified the file lastauthserverused.js, a legitimate web app component, modifying the “Login” function to POST user credentials to an actor-controlled domain. This modified code would result in a GET request from the user’s browser to the actor-controlled domain, with the victim’s username and password being base64 encoded in the request.

The threat actors primarily looked through user files, configuration files, and testing system access. The primary notable activity beyond this was deploying webshells to multiple systems. The threat actors have not yet been observed deploying any more advanced malware implants or persistence mechanisms outside of webshells.

Regarding the webshells, only two variations of the same webshell were used in the attack. The first version has two code paths depending on the parameters present in the request. The first code path relays a connection and is similar to the “tunnel” template in ReGeorg. The second code path was primarily used to execute arbitrary PowerShell commands.

The second version of the webshell is almost exactly the same as the first, but it contains only the second code path to allow code execution. This version omits the native tunneling capability.

What We Don’t Know

While the actor primarily looked through user files, configuration files, and testing system access, deploying webshells to maintain persistence, we do not know the actor’s overall objectives, intentions, and scope of exploitation attempts. While exploitation of the vulnerabilities appears to be targeted, we do not know the actors targeting scope. The actors may target individual organizations for espionage or have a broader scope. 

Analyst Note: The source material for this report, a blog post by Volexity titled “Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN,” states that they have attributed this activity to an unknown threat actor Volexity tracks under the alias UTA0178. Volexity has reason to believe that UTA0178 is a Chinese nation-state-level threat actor. However, Volexity does not detail how they arrived at this attribution. Assuming that UTA0178 is a Chinese nation-state threat actor, the exploitation of this vulnerability is likely targeted. However, without further details, we can not rule out the possibility of a broader targeting scope.

What You Need to Do

Ivanti will release patches on a staggered schedule, with the first version targeted to customers the week of 22 January and the final version targeted to be available the week of 19 February. Customers can mitigate the vulnerabilities by importing mitigation.release.20240107.1.xml file via the download portal while the patch is in development. Additional details on potential impacts and steps to mitigate these vulnerabilities can be found here.

There are three primary methods: Network traffic analysis, VPN device log analysis, and Execution of the Integrity Checker Tool, which organizations can use to detect activity associated with a compromised Ivanti Connect Secure VPN appliance.

Customers should examine anomalous network traffic originating from their VPN appliances, including outbound traffic to the Internet from the appliance and traffic from it to systems internally. Observed malicious activity includes curl requests to remote websites, SSH connections back to remote IPs, and encrypted connections to hosts not associated with SSO/MFA providers or device updates. Observed malicious internal traffic includes RDP and SMB activity to internal systems, SSH attempts to internal systems, and port scanning against hosts to look for systems with accessible services.

Customers can review VPN logs on the web or export them for offline analysis. Customers can also configure a SYSLOG server to ensure VPN logs are sent to another destination and cannot be wiped or tampered with.

When examining logs from ICS VPN appliances, customers should look for the clearing of logs and disabling further logging. Examining requests for valid ICS VPN appliance paths that are valid but not commonly seen can be a potential indicator of compromise. On multiple occasions, the threat actor accessed files stored in the /dana-na/help/ directory.

The In-build Integrity Checker Tool, starting with PCS 9.1R12, has a built-in version of the integrity checker tool. Customers can schedule this tool to run automatically to log if new or mismatched files are detected. In the web interface, under Event Logs in Log/Monitoring, these events will show up as SYS32039 and SYS32040. These IDs only appear in the web interface, and only as a “critical” event in the downloaded log, and display text such as “Integrity Scan Completed: Detected 2 new files”. The device should be considered compromised if any new or mismatched files are listed.

In addition to the built-in version, Ivanti has an enhanced version of the Integrity Checker Tool that customers can run on Ivanti Connect Secure VPN appliances, which organizations can download. Once saved locally, the tool is run by uploading a package to the server and installing it as a Service Pack. The tool will then run and display its results, including the discovery of any new or mismatched files. Note: Running the Integrity Checker Tool will reboot the ICS VPN appliance, resulting in the contents of the system memory being largely overwritten. If you have indicators of compromise before running this tool, it is recommended not to run it until you can collect memory and other forensic artifacts.

If you discover that your Ivanti Connect Secure (ICS) VPN appliance is compromised, it is essential to take immediate action. You do not want to wipe and rebuild the ICS VPN appliance. Collecting logs, system snapshots, and forensics artifacts (memory and disk) from the device is crucial. Pivoting to analyzing internal systems and tracking potential lateral movement should be done as soon as possible. Further, any credentials, secrets, or other sensitive data that may have been stored on the ICS VPN appliance should be considered compromised, which may require password resets, secret changes, and additional investigations.

Observables

Tenable Plugins 

MITRE CVEs

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog