The Cybersecurity and Infrastructure Security Agency (CISA) has issued its first emergency directive for the year, instructing Federal Civilian Executive Branch (FCEB) agencies to urgently address two zero-day vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure. These vulnerabilities have been actively exploited by multiple threat actors, prompting the directive. The flaws have been targeted in extensive attacks, particularly those that chain the CVE-2023-46805 authentication bypass and the CVE-2024-21887 command injection vulnerabilities. Ivanti has yet to release security patches for these vulnerabilities.
CISA stated on Friday that these conditions pose an unacceptable risk to FCEB agencies, necessitating immediate action. This decision is based on the widespread exploitation of the vulnerabilities by multiple threat actors, the prevalence of the affected products in federal enterprises, the potential for compromise of agency information systems, the impact of a successful compromise, and the complexity of the proposed mitigations.
The emergency directive, ED 24-01, mandates that federal agencies swiftly implement Ivanti's publicly disclosed mitigation measures to fend off attack attempts. Additionally, agencies must use Ivanti's External Integrity Checker Tool. To fully restore impacted appliances and return them to service, agencies must follow Ivanti's recovery instructions.
Shadowserver, a threat monitoring service, is currently tracking over 16,200 Ivanti ICS VPN appliances exposed online, with more than 4,700 in the United States. The service is also monitoring the number of compromised Ivanti Connect Secure VPN instances globally, with over 600 devices already hacked as of January 16.
Volexity, a threat intelligence company, revealed that one of the attackers, suspected to be a Chinese state-backed threat actor tracked as UTA0178 and UNC5221, has already backdoored over 2,100 Ivanti appliances using a GIFTEDVISITOR webshell variant. Mandiant found five custom malware strains deployed on breached customers' systems with the ultimate aim of stealing credentials, deploying webshells, and additional malicious payloads. The threat actor has been harvesting and stealing account and session data and more information from compromised networks.
The victims identified so far span various sectors and sizes, from small businesses to Fortune 500 companies, including government and military departments globally, national telecommunications companies, defense contractors, technology companies, banking, finance, and accounting organizations, consulting firms, and aerospace, aviation, and engineering firms. Volexity and GreyNoise have also observed attackers deploying XMRig cryptocurrency miners and Rust-based malware payloads, which are still under analysis.