Ivanti, a software company, has issued a warning to administrators about a vulnerability that could expose VPN appliances to attacks. This vulnerability is triggered when new device configurations are pushed to appliances after mitigations have been applied, due to a known race condition. The company has advised against pushing configurations until the appliances are patched. "Customers should stop pushing configurations to appliances with the XML in place, and not resume pushing configurations until the appliance is patched," Ivanti stated in a recent update.
The software company has yet to confirm whether re-applying the mitigations XML also causes the mitigations to stop working, which seems likely given the race condition occurs each time new configurations are pushed to an appliance.
This warning follows the first emergency directive of 2024 issued by the Cybersecurity and Infrastructure Security Agency (CISA), instructing U.S. agencies to immediately apply mitigations for two Ivanti Connect Secure and Policy Secure zero-day flaws. These flaws, identified as CVE-2023-46805 and CVE-2024-21887, have been exploited in widespread attacks by multiple threat actors.
Ivanti ICS and IPS appliances have been targeted in large-scale attacks since at least December, using the aforementioned zero-day flaws. When chained, these vulnerabilities allow attackers to move laterally within compromised networks, collect and exfiltrate data, and establish persistent system access to breached devices by deploying backdoors.
While Ivanti has yet to release security patches, it has released mitigation measures that should block attack attempts and recovery instructions designed to help administrators restore impacted appliances and bring them back into service.
Threat monitoring platform Shadowserver is currently tracking over 21,400 Internet-exposed ICS VPN appliances, over 6,300 of which are in the United States. Over 700 compromised appliances were discovered on January 21 alone.
Threat intelligence company Volexity reported that one of the attackers actively exploiting the two zero-days, a suspected Chinese state-backed threat group tracked as UTA0178 and also monitored by Mandiant as UNC5221, has already backdoored more than 2,100 Ivanti appliances using a GIFTEDVISITOR webshell variant. Attackers have also deployed XMRig cryptocurrency miners and Rust-based malware payloads on compromised devices.
Mandiant found five custom malware strains deployed on breached customers' systems to steal credentials, drop additional malicious payloads, and deploy webshells. The attackers have been harvesting and stealing account and session data from the compromised networks of many victims, including government and military entities, national telecom companies, defense contractors, technology companies, banking, finance, and accounting organizations, and aerospace, aviation, and engineering firms. The victims vary significantly in size, from small businesses to some of the largest organizations worldwide, including multiple Fortune 500 companies across a wide range of industry sectors.