Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 19)
Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware
FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications
See all Unit 42 Threat Research
Table of Contents

Ivanti VPN Vulnerability: Mitigation Strategies, Incident Response, and Defense

5 min. read
Table of Contents

Chinese state-sponsored hackers have targeted recently announced vulnerabilities in Ivanti VPN products, Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure gateways. These vulnerabilities are reported as CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893.

When used together, these vulnerabilities may allow unauthorized authentication bypass and remote command execution. Ivanti has released patches for these vulnerabilities for the most used versions of their products, but the company has not yet released patches for all vulnerable versions of its products. This leads to a heightened risk of privilege escalation and server-side request forgery for those who are not yet able to apply a patch.

Ivanti Security Measures and Recommendations

Unit 42® advises immediate patch application for these vulnerabilities as it’s made available and a proactive stance on system resets before patching to ensure environmental integrity. In response to the newly discovered vulnerabilities, we echo CISA's recommendation for network disconnection of compromised solutions and stress the importance of applying available or forthcoming patches diligently.

In the latest segment of the Threat Vector podcast, Unit 42 cybersecurity experts Sam Rubin, VP and Global Head of Operations, and Ingrid Parker, Senior Manager of the Intel Response Unit, dive deep into the critical vulnerabilities found in Ivanti’s Connect Secure and Policy Security Products. They explore the vulnerabilities’ potential impact, the urgency of mitigation, and strategies for defense.

Vector podcast
white triangle

Subscribe and listen via your favorite podcast player

Unit 42 Incident Response Cases

The exploitation campaigns of the CVE-2023-46805 and CVE-2024-21887 Ivanti vulnerabilities occurred in three distinct waves.

The first wave lasted from at least the second week of December 2023 to Jan. 10, 2024, when Volexity published their first blog post on the matter. The attacks in this campaign were targeted and featured multiple custom web shells and lateral movement. Unit 42 responded to threat activity that likely corresponded to this wave of campaigns.

Similar to the activity discussed in Volexity’s blog post, we observed the threat actor performing the following activities:

  • Archiving files including NTDS.dit using 7-Zip before exfiltration
  • Creating a memory dump of the LSASS process using Windows Task Manager (Taskmgr.exe)
  • Moving laterally via remote desktop protocol (RDP)
  • Deleting logs

The second wave began after Volexity’s first blog post on Jan. 10, 2024. This wave was marked by a shift from targeted attacks to mass exploitation by additional threat actors.

Unit 42 responded to cases of threat activity that likely corresponded to this wave of campaigns. The threat activity was consistent across these cases.

The threat actor dumped configuration data containing schema, settings, names and credentials of the various users and accounts within the network, but did not perform any lateral movements like the incidents that occurred in the first wave.

Unit 42 believes that the threat actors behind this activity might have shifted focus to wider exploitation to maximize impact before organizations could begin patching and applying mitigation guidance.

The third wave began as early as Jan. 16, 2024, when proof-of-concept (PoC) exploits became publicly available. The release of these exploits lead to mass exploitation by a range of actors with various motivations and degrees of sophistication, including criminal entities widely deploying cryptominers and various remote monitoring and management (RMM) software.

Unit 42 has responded to threat activity that likely corresponded to this wave, from a threat actor using a publicly available PoC exploit. We are currently supporting our clients investigating those incidents.

Comprehensive Ivanati Defense Strategies

The discovery of these vulnerabilities underscores the need for vigilant security measures and rapid response capabilities. This has highlighted critical security vulnerabilities within widely used virtual private network (VPN) technologies exploited by sophisticated threat actors. These vulnerabilities allow unauthorized access and control, posing significant risks to organizational networks.

The following strategies are critical for maintaining a strong security posture against evolving cyberthreats, ensuring the protection of sensitive information and critical infrastructure:

  • Inventory your assets: Catalog all network devices, systems and software.
  • Choose the right tools: Utilize vulnerability scanning tools that best fit your IT environment's complexity and scale.
  • Scan for vulnerabilities: Regularly run scans to identify security weaknesses in your systems.
  • Analyze the results: Carefully review scan results to prioritize vulnerabilities based on their severity and potential impact.
  • Remediate and patch: Apply necessary patches or workarounds to mitigate identified vulnerabilities.
  • Repeat and review: Monitor and reassess your security posture to adapt to new threats.

Be sure to check our advanced Ivanti Emerging Threat Report:

Unit 42 Emerging Threat Report

Unit 42 Emerging Threat Report: Multiple Ivanti Vulnerabilities

Adopting a Comprehensive Cybersecurity Strategy

Taking significant measures to protect your network from potential cyberthreats is essential. Some methods to safeguard your network include hiding applications and VPNs from public internet visibility to shield them from attackers. You should also thoroughly inspect all inbound and outbound traffic to neutralize threats such as malware and zero-day exploits.

Applying the principle of least privilege across your network is another vital step. This ensures that users can only access resources necessary for their roles. You should also strengthen access controls by using robust multifactor authentication to verify user identities effectively.

Connecting users directly to applications rather than the broader network is also recommended. This minimizes potential damage from security incidents. Utilizing continuous monitoring is also essential to identify and mitigate threats posed by compromised insiders or external actors.

To protect sensitive data, diligent monitoring and encryption should be applied both in transit and at rest. Employing deception technologies and proactive threat hunting can help identify and neutralize threats before they can cause harm.

Fostering a culture of security awareness within your organization can also defend against common vectors like phishing. Regularly evaluating your security measures through assessments and simulations can help identify and address vulnerabilities.

Palo Alto Networks Zero Trust Approach

In response to these threats, Palo Alto Networks emphasizes the criticality of a Zero Trust architecture, providing secure, segmented access to applications without exposing them to direct internet threats. Our solutions, including advanced threat prevention and segmentation policies, are designed to minimize the attack surface, prevent unauthorized access, and detect and respond to threats in real-time.

10 FAQ questions and answers about Ivanti Vulnerability for enterprise security professionals

The Ivanti Vulnerability refers to five high or critical vulnerabilities (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893, and CVE-2024-22024) disclosed by Ivanti in their Connect Secure and Policy Secure products. These vulnerabilities range from authentication bypass and command injection vulnerabilities to privilege escalation and server-side request forgery vulnerabilities.
These vulnerabilities can allow unauthorized access to Ivanti products, leading to unauthorized command execution, privilege escalation, and access to restricted resources. These vulnerabilities pose significant risks to enterprise networks and can lead to data breaches or disruptions of network services.
If exploited, these vulnerabilities can give attackers access to restricted resources, allow them to escalate privileges to an administrator level, and even execute arbitrary commands on the appliance. These exploited vulnerabilities could lead to data breaches, disruptions of network services, and further network infiltration.
Ivanti has provided an External Integrity Checker tool that you can run to check for signs of these vulnerabilities in your Ivanti products. This tool has been updated with additional functionality to address these vulnerabilities.
If your Ivanti products are affected, Ivanti recommends applying the provided patches as soon as they are available. For products where patches are not yet available, Ivanti suggests performing a workaround until the patches are released.
If you suspect these vulnerabilities have been exploited, you should disconnect the affected Ivanti products from your network, as CISA recommends. You should also initiate an incident response process, investigate for signs of compromise, and consider engaging professional cybersecurity assistance. Palo Alto Networks Unit 42 can assist, give us a call.
Regular vulnerability scanning, timely patching, and resilient incident response plans are key to protecting your organization. Following security best practices such as least privilege access, multi-factor authentication, and network segmentation is also essential.
Specific IOCs can vary, including unusual network traffic, unexpected system behavior, and evidence of unauthorized access or privilege escalation. More specific IOCs may be provided by Ivanti or your security solutions provider.
As of the last update, over 28,000 instances of Ivanti Connect Secure and Policy Secure have been exposed in 145 countries. Over 600 compromised cases have been observed. These vulnerabilities have been actively exploited since at least early December 2023.
Yes, Palo Alto Networks customers can implement mitigations for these vulnerabilities using various products and features such as Cortex Xpanse, Next-Generation Firewall with Advanced Threat Prevention, Advanced WildFire, Advanced URL Filtering and DNS Security, and Cortex XDR and XSIAM.

Related Content

Get the latest news, invites to events, and threat alerts