CISA: Attackers Are Bypassing Ivanti VPN Bug Mitigations

As Ivanti Connect Secure customers await delayed patches, threat actors have ‘developed workarounds to current mitigations,’ the U.S. cybersecurity agency says.

Malicious actors have “recently” figured out how to bypass mitigations for the widely exploited vulnerabilities in Ivanti VPN devices, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Tuesday.

In response to the development, CISA said it’s recommending that Ivanti Connect Secure customers take additional steps to avoid being compromised or minimize the damage from a breach.

[Related: 10 Major Cyberattacks And Data Breaches In 2023]

The new advisory comes as Ivanti customers await patches, which had originally been planned for initial rollout last week but have been delayed.

In its prior “emergency” directive issued Jan. 19, CISA said it has “observed widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions.”

The updated CISA advisory Tuesday indicates that the wave of attacks has continued. “Threat actors are continuing to leverage vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways to capture credentials and/or drop webshells that enable further compromise of enterprise networks,” CISA said in the advisory.

Meanwhile, in another troubling development, “some threat actors have recently developed workarounds to current mitigations and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without detection,” the agency said.

CISA said it’s recommending that customers perform “continuous threat hunting on any systems connected to—or recently connected to—the Ivanti device.”

Customers should also closely monitor authentication and account usage, as well as identity management services, for signs of exposure, the agency said. Additionally, organizations are advised to isolate such systems from enterprise resources “as much as possible,” according to CISA.

Earlier this month, researchers at Volexity reported that “mass exploitation” of the Ivanti Connect Secure vulnerabilities was underway, prompting CISA to release its first emergency directive of 2024.

Victims of the Ivanti VPN attacks are “globally distributed and vary greatly in size,” wrote the Volexity researchers, who first discovered the flaws in December, in a previous post.

The zero-day vulnerabilities were disclosed by Ivanti on Jan. 10 and do not currently have patches available. Ivanti has provided mitigation measures for the vulnerabilities. The company has also urged customers to use an external integrity checker tool (ICT), due to attempts by attackers to tamper with Ivanti’s internal integrity checker tool.

Ivanti had originally said the first patches were expected to become available starting the week of Jan. 22. But in an update Friday, the vendor said “the targeted release of patches for supported versions is delayed.” The new timetable has the first patches being released sometime this week, Ivanti said.

CRN has reached out to Ivanti for comment.

Widespread Impact

In its previous posts, Volexity’s research team wrote that victims of the attacks have ranged “from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals.”

More than 2,100 Ivanti Connect Secure VPN devices have been compromised in the attacks, according to the latest update from Volexity, published Jan. 18.

The zero-day vulnerabilities were disclosed by Ivanti on Jan. 10.

Ivanti, a provider of IT and security software, acquired the technology behind its Connect Secure VPN with the acquisition of Pulse Secure in 2020.

The attacks are coming from a nation-state threat actor Volexity tracks as UTA0178—which is believed to be working on behalf of China’s government—as well as other threat actors, Volexity researchers have said.

Exploitation of the Ivanti VPN vulnerabilities by a “suspected espionage threat actor” began in December, researchers at Mandiant reported previously, confirming earlier findings on the timing of the attacks by Volexity researchers.

The authentication bypass vulnerability (tracked at CVE-2023-46805) has been awarded a severity score of 8.2 out of 10.0, while the command injection vulnerability (CVE-2024-21887) has been awarded a severity score of 9.1 out of 10.0.

The vulnerabilities can be used together by threat actors to target customers of its Connect Secure VPN, Ivanti has said. When used in this way, “exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system,” the company said.

The vulnerabilities “impact all supported versions” of Connect Secure, Ivanti said. The flaws also impact Ivanti’s Policy Secure gateway.