The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive for all federal agencies using Ivanti Secure Client Access. Details emerged of two zero-day software vulnerabilities being exploited by threat actors, prompting CISA’s investigation into the impact this has on federal agencies. Ivanti provides secure access software solutions, allowing remote employees to safely access organization data and work accounts.
What’s been revealed since January 10th is that specific bugs have been exploited, allowing hackers to gain access to over 1500 corporate accounts and putting governments at risk. Preliminary investigations suspect threat actors have links to the Chinese government. Given the high-level compromise, CISA has issued a mandate to assist employees with the software.
Here’s a rundown of the events leading up to the discovery and what to do to remedy any threats to your organization.
Volexity Exposes Threat Actors
Earlier this month, cybersecurity firm Volexity confirmed they’d discovered vulnerabilities in the software, allowing hackers to gain access to agencies and corporations. Security and operations teams monitoring Ivanti noticed malicious actors scanning the software in a pattern consistent with the compromised code; this coincided with multiple companies reporting that their devices had been compromised.
One of the hackers, identified as the “GIFTEDVISITOR” webshell, was able to detect and exploit the vulnerabilities, creating backdoors for access to organizational data. The webshell enabled file uploads and executions. CVE-2023-46805 was the first zero-day bug, located in the web component of Ivanti Connect Secure and Ivanti Policy Secure. Cybercriminals were able to bypass control checks and gain access to restricted resources.
The second bug, CVE-2024-21887, was identified as a source for command injection attacks present within the Ivanti Connect Secure and Ivanti Policy Secure web components. With this irregularity, threat actors were able to disguise themselves as administrators and send requests to execute commands over the Connect Secure and Policy Secure. Together, these bugs created serious issues for users, leaving organizations at risk.
Mitigation Efforts from CISA and Ivanti
Eric Goldstein, executive assistant director at CISA, held a press call to address the risk to US agencies. The investigation revealed significant levels of threat to various Federal Civilian Executive Branch (FCEB) agencies.
CISA issued an emergency directive in an effort to prevent considerable exploitation of the software defects. Ivanti’s mitigation action, in alignment with the CISA emergency directive, provided actionable steps for users to protect their devices and accounts. The steps included:
- Downloading and installing “mitigation.release.20240107.1xml” via Ivanti’s portal. This corrective file will directly impact various product management features and, with correct implementation, will provide protection from further penetration from threat actors.
- Following on from implementing the XML file, users are required to download and run the Ivanti External Integrity Checker Tool. This tool reboots the exposed program.
Once you’ve done this, you’ll have an idea of whether your organization’s data has been compromised. If so, here’s what you need to do:
- You’ll need to notify CISA and report the details of the exposure via [email protected].
- Security teams will need to remove the endangered products and begin incident analysis. Using forensic hard drive images, they’ll need to preserve data from the infected hardware and conduct a search for any further evidence of exposure and/or unauthorized access.
- To re-initiate the use of a compromised product, Ivanti suggests resetting the device that housed the software back to the factory default setting and once again importing the XML file.
Chinese Threat Actors Suspected of Spying on Federal Agencies
One of the biggest concerns coming out of preliminary investigations is the danger of Chinese nation-state threat actors spying on US federal agencies. According to Volexity, the as-yet-unconfirmed hacker, identified only as UTA0178, is believed to be acting on behalf of China. Volexity observed UTA0178’s activity as a remote code executor. The hacker was able to chain the two vulnerabilities in order to steal configuration data, modify files, download remote files, and transmit information via the internet connection sharing VPN appliance.
The suspected espionage is part of a larger counterintelligence strategy from the People’s Republic of China. The aim of nation-state threat actors is to advance the Chinese government’s endeavors to amass power through predatory lending, intellectual property theft, and malicious cyber activity. China’s targets; businesses, academia, research, law, and even American citizens; are broad-reaching and require a coordinated response from all corners of society. “The greatest long-term threat to our nation’s information and intellectual property, and to our economic vitality, is the counterintelligence and economic espionage threat from China,” said FBI’s Director Christopher Wray.
Norway’s Brush with Ivanti’s Security Breaches
Unfortunately for Ivanti, this isn’t their first rodeo. In July 2023, a similar incident took place, prompting the secure access company to release a statement regarding unauthorized API access via CVE-2023-35078. In this instance, the defect enabled threat actors to access users’ personal information and allowed them to make changes to the server.
Ivanti’s spokesperson indicated that investigations were ongoing and that a solution had already been developed and sent out to their users within a number of days. To contain the incident and protect customers, the patch was sent out before the announcement was made public. “Our materials are subject to confidentiality and TLP because we don’t want to make it easier for the exploitation to get out,” said their spokesperson. Caught in the fray was the Norwegian government. Officials noted a “data attack” on a software platform utilized across government agencies. Fortunately, the office of the Prime Minister, the Ministry of Defense, the Ministry of Justice and Emergency Preparedness, and the Foreign Affairs Ministry were safe from the cyberattack.
Director of the Departments’ Security and Service Organization (DSS), Erik Hope, said, “We have uncovered a previously unknown vulnerability in the software of one of our suppliers. This vulnerability has been exploited by an unknown actor. We have now closed this vulnerability. It is too early to say anything about who is behind it and the extent of the attack.”
Conclusion
Organizations and agencies are increasingly facing the risk of being compromised, with reliance on software like Ivanti’s VPN for remote workers. Cybersecurity firm Volexity was first on the scene, reporting two zero-day vulnerabilities that had been exploited by bad actors, one of which was suspected to have links to the Chinese government. This prompted swift action from CISA, in order to mitigate data breaches across the multiple agencies that utilize Ivanti software. In an effort to protect customer information, Ivanti provided patches to customers before releasing a statement with the aim of preventing hackers from bypassing the new security protocols, but critics remain unconvinced, considering this is the third breach in a one-year period. Ivanti customers are encouraged to implement the latest patch, log any breaches with CISA, and remain vigilant while using the software.
