Usage subject to Terms and Conditions

Read the original article at https://www.cisa.gov/news-events/alerts/2024/02/29/cisa-and-partners-release-advisory-threat-actors-exploiting-ivanti-connect-secure-and-policy-secure

Today, CISA and the following partners released joint Cybersecurity Advisory Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways

  • Federal Bureau of Investigation (FBI) 
  • Multi-State Information Sharing & Analysis Center (MS-ISAC) 
  • Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) 
  • United Kingdom National Cyber Security Centre (NCSC-UK) 
  • Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment 
  • New Zealand National Cyber Security Centre (NCSC-NZ) 
  • CERT-New Zealand (CERT NZ) 

The advisory describes cyber threat actor exploitation of multiple previously identified Connect Secure and Policy Secure vulnerabilities—namely CVE-2023-46805, CVE-2024-21887, CVE-2024-22024, and CVE-2024-21893—which threat actors can exploit in a chain to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges. Additionally, the advisory describes two key CISA findings:  

  1. The Ivanti Integrity Checker Tool is not sufficient to detect compromise due to the ability of threat actors to deceive it, and  
  2. A cyber threat actor may be able to gain root-level persistence despite the victim having issued factory resets on the Ivanti device. 

The advisory provides cyber defenders with detection methods and indicators of compromise (IOCs) as well as mitigation guidance to defend against this activity. Note: As exploitation is ongoing as of publication of this advisory, CISA will provide updates to the Additional Resources list below as they are made available. 

CISA and its partners urge cyber defenders to review this advisory and consider the significant risk of cyber threat actor access to, and persistence on Connect Secure and Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment. 

Additional Resources 

Read the original article at https://www.cisa.gov/news-events/alerts/2024/02/29/cisa-and-partners-release-advisory-threat-actors-exploiting-ivanti-connect-secure-and-policy-secure