Read the original article at https://www.cisa.gov/news-events/alerts/2024/02/29/cisa-and-partners-release-advisory-threat-actors-exploiting-ivanti-connect-secure-and-policy-secure
Today, CISA and the following partners released joint Cybersecurity Advisory Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways:
- Federal Bureau of Investigation (FBI)
- Multi-State Information Sharing & Analysis Center (MS-ISAC)
- Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
- United Kingdom National Cyber Security Centre (NCSC-UK)
- Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment
- New Zealand National Cyber Security Centre (NCSC-NZ)
- CERT-New Zealand (CERT NZ)
The advisory describes cyber threat actor exploitation of multiple previously identified Connect Secure and Policy Secure vulnerabilities—namely CVE-2023-46805, CVE-2024-21887, CVE-2024-22024, and CVE-2024-21893—which threat actors can exploit in a chain to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges. Additionally, the advisory describes two key CISA findings:
- The Ivanti Integrity Checker Tool is not sufficient to detect compromise due to the ability of threat actors to deceive it, and
- A cyber threat actor may be able to gain root-level persistence despite the victim having issued factory resets on the Ivanti device.
The advisory provides cyber defenders with detection methods and indicators of compromise (IOCs) as well as mitigation guidance to defend against this activity. Note: As exploitation is ongoing as of publication of this advisory, CISA will provide updates to the Additional Resources list below as they are made available.
CISA and its partners urge cyber defenders to review this advisory and consider the significant risk of cyber threat actor access to, and persistence on Connect Secure and Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment.
Additional Resources
- Organizations using these devices should assume a threat actor is maintaining persistence and lying dormant for a period before conducting malicious actions. For more on this specific technique, see Identifying and Mitigating Living Off the Land Techniques.
- CISA has issued Emergency Directive (ED) 24-01 Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities as well as corresponding Supplemental Direction to ED 24-01 to federal agencies.
Read the original article at https://www.cisa.gov/news-events/alerts/2024/02/29/cisa-and-partners-release-advisory-threat-actors-exploiting-ivanti-connect-secure-and-policy-secure