A new Ivanti Connect Secure and Ivanti Policy Secure server-side request forgery (SSRF) vulnerability has come under exploitation. This vulnerability (tracked as CVE-2024-21893) was first documented in a patch released on Jan 31. Exploitation of CVE-2024-21893 enables malicious actors to bypass authentication and access restricted files in the organization.

Ivanti Users beware!

For new users, CVE in this scenario stands for Common Vulnerabilities and Exposures. They are a public program that aims to identify, define, and document cybersecurity vulnerabilities that are known in the public sphere. This helps to inform and direct cybersecurity efforts for organizations and bodies to safeguard their environments.

Ivanti cautioned users and warned them about the flaws, which were identified and disclosed on January 31, 2024. The SAML (Security Assertion Markup Language) is an open standard that enables authentication and authorization of data between parties. An identity provider will authenticate the credentials a user provides and convey them via an authentication token to other applications, termed as a service provider.

The Story So Far

CVE-2024-21893 was disclosed as a zero-day exploitation on the same day on January 31. Cybersecurity experts suspect that it is related to two other earlier disclosed vulnerabilities in Ivanti’s platform (CVE-2023-46805 and CVE-2024-21887). While not as recent (both were disclosed in December), exploiters and even a suspected China-nexus threat actor have simultaneously taken advantage of both these vulnerabilities to compromise thousands of devices. The Chinese espionage threat group UTA0178/UNC5221 took advantage of this window to install webshells and backdoors on compromised devices, leading to almost 1,700 cases of infection.

Partnered with Mandiant (a cybersecurity firm and a subsidiary of Google), Ivanti issued a security patch for these two vulnerabilities to address the issue. However, two additional vulnerabilities were identified, CVE-2024-21888 and our main topic of the article, CVE-2024-21893. Attackers were able to continue exploiting the earlier vulnerabilities in spite of Ivanti’s initial mitigations, leading to affected devices even having their configuration files compromised. This led to a delay in their patch for the two earlier vulnerabilities, shifting the patch release date from 22 January to 31 January.

The latter vulnerability is being taken extremely seriously. After its disclosure on 31 January, Ivanti next reported that a significant number of customers have been impacted by the exploits of CVE-2024-21893. Furthermore, the exploitation volume as shown in the chart below by Shadowserver, a threat monitoring service, far surpasses other recently addressed or fixed Ivanti flaws. This points to a change in the focus of malicious actors.

These cases saw attackers attempting to deploy the ransomware payload via a DLL file executable payload with a rundll32.exe command, achieved through a DOS batch file (PP.bat) on the desktop.

Exploitation Volume for Latest Ivanti Flows

It’s clear that the recurring nature of vulnerabilities uncovered has heavily compromised organizations reliant on Ivanti for security. The US Cybersecurity & Infrastructure Security Agency (CISA) has ordered federal agencies to disconnect appliances that use Ivanti Connect Secure and Policy Secure VPN programs. There are older versions of Ivanti firmware that remain vulnerable, with no patches released yet. CISA cautions private organizations to take precautions around their endpoints and security, particularly if they are Ivanti users, and are encouraged to be wary of the trust of their environment in general.

Adventus Recommends Zero Trust Network Access (ZTNA)

In light of these new vulnerabilities and the ever-growing threat landscape, our priority is to ensure the protection of customers and prospects in the quickest possible time.

Zscaler and our community of trusted cyber security partners can help your organization transition to a ZTNA framework. This eliminates the need for any VPN usage and removes additional risk for your users and business.

As a partner with Zscaler, Adventus has previously co-hosted a webinar on Implementing Zero Trust for the Modern Workplace. If you have missed this webinar, don't worry! Get in touch with us and safeguard your organization today.