Home Security Five Eyes Agencies Warn of Active Exploitation of Ivanti Gateway Vulnerabilities

Five Eyes Agencies Warn of Active Exploitation of Ivanti Gateway Vulnerabilities

by crpt os


Mar 01, 2024NewsroomRootkit / Threat Intelligence

The Five Eyes (FVEY) intelligence alliance has issued a new cybersecurity advisory warning of cyber threat actors exploiting known security flaws in Ivanti Connect Secure and Ivanti Policy Secure gateways, noting that the Integrity Checker Tool (ICT) can be deceived to provide a false sense of security.

“Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets,” the agencies said.

To date, Ivanti has disclosed five security vulnerabilities impacting its products since January 10, 2024, out of which four have come under active exploitation by multiple threat actors to deploy malware –

  • CVE-2023-46805 (CVSS score: 8.2) – Authentication bypass vulnerability in web component
  • CVE-2024-21887 (CVSS score: 9.1) – Command injection vulnerability in web component
  • CVE-2024-21888 (CVSS score: 8.8) – Privilege escalation vulnerability in web component
  • CVE-2024-21893 (CVSS score: 8.2) – SSRF vulnerability in the SAML component
  • CVE-2024-22024 (CVSS score: 8.3) – XXE vulnerability in the SAML component

Mandiant, in an analysis published this week, described how an encrypted version of a malware known as BUSHWALK is placed in a directory excluded by ICT in /data/runtime/cockpit/diskAnalysis.

Cybersecurity

The directory exclusions were also previously highlighted by Eclypsium this month, stating the tool skips a dozen directories from being scanned, thus allowing an attacker to leave behind backdoors in one of these paths and still pass the integrity check.

“The safest course of action for network defenders is to assume a sophisticated threat actor may deploy rootkit level persistence on a device that has been reset and lay dormant for an arbitrary amount of time,” agencies from Australia, Canada, New Zealand, the U.K., and the U.S. said.

Ivanti Gateway Vulnerabilities

They also urged organizations to “consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment.”

Data shared by web security company Akamai shows that approximately 250,000 exploitation attempts have been detected per day, targeting over 1,000 customers from more than 3,300 unique attacking IP addresses located in 18 different countries.

“The majority of these attack attempts were probes that attempted to deliver a payload that sends a beacon request to an attacker-controlled domain, serving as a proof-of-concept (PoC) for successful remote command execution,” Noam Atias and Sam Tinklenberg said.

Ivanti, in response to the advisory, said it’s not aware of any instances of successful threat actor persistence following the implementation of security updates and factory resets. It’s also releasing a new version of ICT that it said “provides additional visibility into a customer’s appliance and all files that are present on the system.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex