Chinese Cyber Actors Exploit Ivanti Connect Secure and Policy Secure Zero-Day Vulnerabilities

January 11, 2024

Suspected nation-state actors, believed to be linked to China, have exploited two zero-day vulnerabilities in Ivanti Connect Secure (ICS) and Policy Secure, affecting less than 10 customers. The hacking group, known as UTA0178, was identified by cybersecurity firm Volexity, which detected the malicious activity on one of its customer's networks in early December 2023. The VPN appliance may have been compromised as early as December 3, 2023.

The two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, have been exploited to achieve unauthenticated command execution on the ICS device. According to Ivanti, these vulnerabilities can be combined into an exploit chain to take over susceptible instances over the internet. "If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system," Ivanti stated in an advisory.

The threat actors have attempted to manipulate Ivanti's internal integrity checker (ICT), which provides a snapshot of the current state of the appliance. Ivanti plans to release patches in a staggered manner from the week of January 22, 2024. In the meantime, users are advised to apply a workaround to protect against potential threats.

In the incident analyzed by Volexity, the two vulnerabilities were used to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance. The attacker also modified a legitimate CGI file (compcheck.cgi) on the ICS VPN appliance to permit command execution. Furthermore, a JavaScript file loaded by the Web SSL VPN login page was altered to log keystrokes and exfiltrate user credentials.

The attacker used the collected information and credentials to pivot to a few internal systems, eventually gaining unrestricted access to network systems. The attacks are characterized by reconnaissance efforts, lateral movement, and the deployment of a custom web shell named GLASSTOKEN via the backdoored CGI file to maintain persistent remote access to the external-facing web servers.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by January 31, 2024. Volexity warns that internet-accessible systems, especially critical devices like VPN appliances and firewalls, continue to be attractive targets for attackers.

Latest News

• CISA Issues Warning Over Six Actively Exploited Vulnerabilities
• Microsoft's January 2024 Patch Tuesday Addresses 49 Security Vulnerabilities, Including 12 RCE Bugs
• Critical SQL Injection Vulnerability Detected in Cacti Monitoring Tool
• Apache RocketMQ Servers Vulnerable to RCE Attacks: Hackers on the Prowl
• Critical Remote Code Execution Vulnerability in Ivanti's Endpoint Management Software