It was previously reported that Ivanti Connect Secure was vulnerable to an authentication bypass (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887) actively exploited by threat actors in the wild.
Moreover, these vulnerabilities were added to the CISA’s known exploited vulnerability catalog, and all the FCEB agencies were informed to mitigate these vulnerabilities as soon as possible. However, there has been a massive exploitation of these vulnerabilities worldwide.
Open Suspicious Files & Links in the ANY RUN Sandbox Safely; Try All Features for Free. Understand malware behavior, collect IOCs, and easily map malicious actions to TTPs — all in our interactive sandbox.
Massive Exploitation of Ivanti VPN
According to the reports shared with Cyber Security News, there were more than 26000 unique internet-facing Ivanti Connect Secure hosts. Among these, 412 hosts were found to be compromised by threat actors with a backdoor due to credential theft.
In addition to this, Ivanti has not yet released a patch to fix this vulnerability. Instead, they have provided recovery, workarounds, and mitigations for this vulnerability. As per the emergency directive released by CISA, the exploitation of these two vulnerabilities was mandated to be mitigated by Federal Civilian Executive Branch (FCEB) agencies.
Additionally, it was also mentioned that these vulnerabilities are particularly serious due to the widespread exposure of internet-facing systems and the mitigation complexity, along with the absence of the official patch from Ivanti.
Volexity Research
As per Volexity’s research of these vulnerabilities, there was a legitimate Javascript component (https://cdn.cybernoz.com/danana/auth/lastauthserverused.js), which was leveraged to keep in memory of the last selected authentication realm.
However, this was discovered to be modified by threat actors to include various mechanisms for hijacking and exfiltration of client login information. Furthermore, this backdoored javascript sends usernames, passwords, and the authentication URL to a threat actor-controlled HTTP server.
Nevertheless, secondary scans on the compromised hosts revealed more than 22 variants of callback methods which could indicate that there was more than one threat actor involved in this massive exploitation.
Volexity provides detailed information about these vulnerabilities, their exploitation, and other information. The massive exploitation scan was performed by researchers at Censys, which provides a full complete report about the scan results and the compromised hosts.
It is recommended for all the users of Ivanti to mitigate these vulnerabilities as advised in the security advisory by Ivanti until an official patch is released from the vendor.