The following alert is based on our January H2 Vulnerability Insights Report on ThreatVision. TeamT5 Vulnerability Research Team is dedicated to providing timely mitigation and response guidelines to critical vulnerabilities. Contact us for more information about our vulnerability intelligence.
TeamT5 released mitigation and response guidelines to CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure VPN (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure Gateways (PS).
Exploitation Status
Threat actors can combine the exploits of CVE-2023-46805 and CVE-2024-21887 to bypass the authentication of Ivanti ICS and PS products, which allows the threat actors to deploy malware and further compromise the target’s networks.
- CVE-2023-46805 is an authentication bypass vulnerability that allows remote attacker to access restricted resources by bypassing control checks.
- CVE-2024-21887 is a command injection vulnerability allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
Our analysis suggests that CVE-2023-46805 and CVE-2024-21887 has been actively exploited by China-nexus state-sponsored threat actors.
The targeted countries are across the globe, including Taiwan, Japan, Netherland, South Korea, Indonesia, Malaysia, and Hong Kong.
The targeted sectors are varied, including manufacturing, information technology, education, telecom, construction, critical infrastructure, conglomerate, hospital, financial, petrochemical, real estate development, semiconductor, government, energy, and retail.
Mandiant attributed the attacks to UNC5221 whereas Volexity attributed to China-nexus UTA0178.
TeamT5 assess the attacks are from China-nexus threat actors with medium confidence based on the C2 information.
Executive Summary
We assess the severity level of CVE-2023-46805 and CVE-2024-21887 is critical and urge our customers to use this report to mitigate the effects. The two vulnerabilities have been exploited as zero-day since December 2023.[1] Ivanti ICS and PS products is popular around the world. Aligned with Mandiant’s January report, our further investigations revealed that entities across different sectors in Taiwan, Japan, Netherland, South Korea, Indonesia, Malaysia, and Hong Kong are all fell into prey.
Furthermore, the Proof of Concepts (PoC) exploiting CVE-2023-46805 and CVE-2024-21887 has been circulating in the wild.[2] Public reports also revealed possible state actors exploited both vulnerabilities in the attacks. In fact, U.S. Cybersecurity and Infrastructure Security Agency (CISA) now requires all Federal agencies to disconnect Ivanti products by February 2.[3]
Threat actors, especially state-sponsored APT groups, has been actively exploiting CVE-2023-46805 and CVE-2024-21887 in the attacks. Our research, aligned with public reports[1][4], suggest that threat actors would further deploy malware, such as GIFTEDVISITOR (aka WIREFIRE) webshell and IvantiJStealer infostealer, the target’s devices. In addition to the malware, Mandiant also reported ZIPLINE backdoor, LIGHTWIRE webshell and its dropper THINSPOOL.
Affected Products
Ivanti Connect Secure (ICS) Version 9.x and 22.x
Mitigation and Response Advisory
1. Official Patch Information
Ivanti provided the patch for CVE-2023-46805 and CVE-2024-21887 to temporarily block suspicious URIs (i.e. REST API.)
Moreover, the threat actors already tampered the Integrity Checker Tools (ICT) in the Ivanti PCS. We recommend our intelligence users to download the Ivanti ICT from following URL to ensure the integrity.
2. TeamT5’s VIR 2024 January H2: CVE-2024-21887
Based on the exploitation status, TeamT5’s VIR 2024 January H2: CVE-2024-21887 depicted the Possible Attack Scenario and concluded the malware and IOCs respectively. Most importantly, we prepare a comprehensive Mitigation and Response Advisory for our intelligence users.
The Mitigation and Response Advisory includes:
- Mitigation Advisory Threat Hunting Tools, including two nuclei-based malware scanners and a YARA rule. Two nuclei-based malware scanners to check if your Ivanti device is compromised by the threat actors
- YARA rule to detect IvantiJStealer
Contact us for more information about our vulnerability intelligence.