CISA Warns of Persistent Threats on Hacked Ivanti VPN Appliances Even After Factory Resets

February 29, 2024

CISA has revealed that hackers exploiting vulnerabilities in Ivanti VPN appliances may be able to maintain root persistence even after factory resets. These attackers can also evade detection by Ivanti's internal and external Integrity Checker Tool (ICT) on compromised Ivanti Connect Secure and Policy Secure gateways. The vulnerabilities being exploited, including CVE-2023-46805, CVE-2024-21887, CVE-2024-22024, and CVE-2024-21893, range from high to critical severity and can be used for authentication bypass, command injection, server-side-request forgery, and arbitrary command execution.

CISA discovered that the Ivanti ICT was unable to detect compromises during multiple hacking incidents involving Ivanti appliances. This was because web shells found on systems showed no file mismatches according to the Ivanti ICT. Forensic analysis also revealed that attackers hid their tracks by overwriting files, time-stomping files, and re-mounting the runtime partition to restore the compromised appliance to a 'clean state.' This indicates that ICT scans may not always effectively detect previous compromises and could create a false sense of security.

In response to these issues, Ivanti has released an updated external Integrity Checker Tool. However, CISA has independently confirmed that more than Ivanti's ICT is needed to adequately detect a compromise, as threat actors might gain root-level persistence between factory resets. 'During multiple incident response engagements associated with this activity, CISA identified that Ivanti's internal and previous external ICT failed to detect compromise,' CISA warned on Thursday. 'In addition, CISA has conducted independent research in a lab environment validating that the Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets.'

Despite Ivanti's assurances that threat actors would lose connection to the Ivanti Connect Secure appliance after implementing security updates and factory resets, CISA has urged all Ivanti customers to consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment.

On February 1st, CISA ordered all federal agencies to disconnect all Ivanti Connect Secure and Ivanti Policy Secure instances from their networks within 48 hours due to the 'substantial threat' and increased risk of security breaches posed by hacked Ivanti VPN appliances. Agencies were instructed to export configurations, factory reset them, rebuild them using patched software versions released by Ivanti, reimport the backed-up configs, and revoke all connected or exposed certificates, keys, and passwords.

The security vulnerabilities mentioned by CISA in today's advisory have been exploited by nation-state actors as zero-days before being leveraged at a larger scale by a broad range of threat actors to drop multiple custom malware strains. Another Connect Secure zero-day tracked as CVE-2021-22893 was used by suspected Chinese threat groups in 2021 to breach dozens of government, defense, and financial organizations across the United States and Europe.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.