Date: 31-1-2024
This is an update to our Threat Response of the 11th of January regarding critical vulnerabilities in Ivanti Connect Secure VPN.
In addition to our previous Threat Response, we want to raise your attention for the following:
Ivanti has released upgrades for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3. We urge you to patch your systems as soon as possible if you haven't done so. The upgrade resolves 4 vulnerabilities present in Ivanti Connect Secure software. The vulnerabilities are tracked under CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893.
CISA[2] warns defenders that they have noticed active exploitation of CVE-2023-46805 and CVE-2024-21887. A combination of CVE-2023-46805 and CVE-2024-21887 leads to an unauthenticated attacker gaining access to the Ivanti appliance. In addition, the mitigations as presented in our earlier Threat Response were not effective against all cases of exploitation. CISA also mentions that attackers were able to subvert the Ivanti Integrity Checker Tool (ICT), leading to minimal traces of exploitation.
If you have an indication that your system may be compromised, please call our CERT on the following number: 00800 1744 0000
What will Northwave do?
For customers with Endpoint Detection & Response (EDR) based on Defender on Endpoint installed on the Ivanti VPN appliance, Northwave has created and implemented a detection rule capable of detecting modifications of the Ivanti VPN configuration files, which could indicate an exploitation attempt. Besides the new detection rule, Northwave always alerts in case of post-exploitation activities, such as Reconnaissance and Lateral Movement.
We will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.
E-mail: soc@northwave.nl Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000
Disclaimer applies, see below.
Sources
Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.