Ivanti, the Utah-based software company, has released patches for two critical zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, that were disclosed earlier this month. The vulnerabilities affect Ivanti Policy Secure (IPS) and Ivanti Connect Secure (ICS). These vulnerabilities have been actively exploited by a Chinese nation-state threat actor, resulting in the compromise of approximately 1,700 devices worldwide since early December. In addition to the patches for the disclosed vulnerabilities, Ivanti has also disclosed two new vulnerabilities, CVE-2024-21888 and CVE-2024-21893, affecting ICS and IPS. The latter vulnerability is currently under active exploitation. Ivanti recommends that customers factory reset their appliances before applying the patches to prevent the threat actor from gaining upgrade persistence. The Cybersecurity and Infrastructure Security Agency (CISA) has urged Ivanti customers to apply the patches and mitigations as soon as possible due to the ongoing exploitation. Tenable researchers have warned that Pulse Connect Secure, the product affected by these vulnerabilities, has been a popular target for ransomware groups and nation-state threat actors [1679772d].
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive demanding immediate action from Federal Civilian Executive Branch (FCEB) agencies in response to zero-day vulnerabilities discovered in products from Ivanti. The vulnerabilities include an authentication bypass vulnerability (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887) in Ivanti Connect Secure and Ivanti Policy Secure products. These vulnerabilities, when chained together, could allow attackers to move laterally within a target's network, exfiltrate data, and establish persistent system access. Approximately 15 agencies were using the vulnerable devices, but they have since mitigated the bugs. Nuspire, a cybersecurity firm, has taken proactive measures to protect its clients from these vulnerabilities. Agencies running affected products are required to follow CISA's recommendations and Ivanti's instructions to mitigate the risk and protect their systems and data [46726c22].
The vulnerabilities in the popular VPN appliances Ivanti Connect Secure and Policy Secure are being exploited by multiple actors, with evidence suggesting some of the exploitation is motivated by espionage. At least 1,700 Connect Secure devices have been compromised, and investigations are ongoing to determine if any federal agencies have been compromised [a242bbcd].
Hackers are actively exploiting a vulnerability known as 'CitrixBleed' in Citrix's NetScaler ADC and NetScaler Gateway platforms, leading to a wave of mass cyberattacks. The vulnerability allows remote unauthenticated attackers to extract sensitive information from the memory of vulnerable Citrix devices, including session tokens. At least four threat groups are exploiting this bug, with one group automating the attack process. The LockBit gang recently targeted the U.S. branch of Industrial and Commercial Bank of China (ICBC) by compromising an unpatched Citrix Netscaler box, and ICBC reportedly paid the ransom demand. Other affected organizations include Boeing and international law firm Allen & Overy. Citrix has urged its customers to update to the latest versions of NetScaler ADC and NetScaler Gateway to prevent active exploitation of vulnerabilities that could lead to information disclosure and denial of service (DoS) attacks. The company disclosed the vulnerability on October 10th and warned that it can lead to data disclosure. The most critical risk is when customers are using affected builds in conjunction with NetScaler ADC configured as a gateway or as an AAA virtual server. Managed cloud and Adaptive Authentication customers do not need to take additional action. This disclosure follows a report by Mandiant warning that threat actors were able to bypass the patch in cases where there was previous exploitation, and urging organizations to terminate all sessions. Rapid7's head of vulnerability research predicts that this vulnerability will be one of the top routinely exploited vulnerabilities from 2023 [a2697f3d].
Chinese nation-state actors are also actively exploiting two zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, in Ivanti Connect Secure VPN services for unauthenticated remote code execution. The vulnerabilities have CVSS scores of 8.2 and 9.1 respectively. The vulnerabilities, an authentication-bypass vulnerability and a command injection vulnerability, have been chained together to enable attackers to run commands on the system. The vulnerabilities affect all supported versions (9.x to 22.x) of Ivanti VPN services. Ivanti has released pre-patch mitigations and is working on a complete patch, scheduled to be released in two successive versions in January and February 2024. Suspected Chinese state hackers, identified as a Chinese nation-state-level threat actor dubbed UTA0178, have been exploiting these zero-day vulnerabilities since early December. The vulnerabilities affect the Ivanti Connect Secure VPN appliance and Ivanti Policy Secure Gateways. The hackers have been using the zero-days to run commands on the system and access restricted resources. The U.S. Cybersecurity and Infrastructure Security Agency and Australia's top cyber agency have advised federal agencies to follow Ivanti's guidance. A patch for the vulnerabilities will be available later this month. Less than 10 customers have been affected by the vulnerabilities. The Chinese government has a history of underwriting digital intelligence gathering and economic espionage operations. The vulnerabilities were added to the known exploited vulnerabilities list by the U.S. Cybersecurity and Infrastructure Security Agency [21c32a0d].
In a separate incident, suspected Chinese hackers used two previously undiscovered software flaws to break into a US-based research organization last month. The hackers gained unfettered access to the victim organization, which conducts research on geopolitics, including China issues. China is known for its voracious appetite for intelligence derived from hacking, and US officials say it is the most prolific and pervasive digital adversary facing the United States. The FBI Director has stated that China's hacking teams outnumber the FBI's cyber agents 50 to 1. The concern now is that the exploit code used by the hackers could leak publicly, allowing lower-skill hackers to replicate it. The hackers exploited popular virtual private networking (VPN) software made by Utah-based IT firm Ivanti. China's surveillance capabilities and its cracking of Apple's AirDrop encryption are also raising concerns [a5d74eee].
Apple released two separate patches in March to fix over 40 flaws in iOS, including two issues already being used in real-life attacks. Google patched multiple flaws in its Chrome browser, including a critical use-after-free flaw. Mozilla fixed two zero-day vulnerabilities in Firefox, one of which is a critical privileged JavaScript Execution flaw. Microsoft's March Patch Tuesday fixed over 60 security vulnerabilities, including a remote code-execution vulnerability in the Open Management Infrastructure. Cisco, VMware, and SAP also released important updates to fix security vulnerabilities in their software. Google released patches for nearly 40 issues in Android, including two critical bugs in its system component. It is important to update these software as soon as possible to protect against potential attacks. [fea1886a]