Full Report
In a recent series of blog posts related to two zero-day vulnerabilities in Ivanti Connect Secure VPN, Volexity shared details of active in-the-wild exploitation; provided an update on how exploitation had gone worldwide; and reported observations of how malware and modifications to the built-in Integrity Checker Tool were used to evade detection. A critical piece of Volexity’s initial investigation involved collecting and analyzing a memory sample. As noted in the first blog post of the three-part series (emphasis added): “…Volexity analyzed one of the collected memory samples and uncovered the exploit chain used by the attacker. Volexity discovered two different zero-day exploits which were being chained together to achieve unauthenticated remote code execution (RCE). Through forensic analysis of the memory sample, Volexity was able to recreate two proof-of-concept exploits that allowed full unauthenticated command execution on the ICS VPN appliance.” Collect & Analyze Memory ASAP Volexity regularly prioritizes memory forensics […] The post How Memory Forensics Revealed Exploitation of Ivanti Connect Secure VPN Zero-Day Vulnerabilities appeared first on Volexity.
Analysis Summary
# Incident Report: Chained Zero-Day Exploitation of Ivanti Connect Secure VPN
## Executive Summary
Volexity observed and analyzed the active exploitation of two chained zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances, leading to unauthenticated Remote Code Execution (RCE). The investigation heavily relied on memory forensics to reconstruct the exploit chain, identify attacker commands, and pinpoint the vulnerable API endpoints. A critical finding was the adversary's attempt to evade detection by modifying the device's built-in Integrity Checking Tool.
## Incident Details
- Discovery Date: January 2024 (Implied initial observation/reporting began around this time)
- Incident Date: Active exploitation observed prior to initial disclosure (Early January 2024)
- Affected Organization: Implied to be multiple, global organizations due to the worldwide spread of exploitation.
- Sector: Various (VPN/Security Appliance Focus)
- Geography: Worldwide exploitation reported.
## Timeline of Events
### Initial Access
- Date/Time: Unknown, but active exploitation was ongoing when reports surfaced.
- Vector: Chained exploitation of two zero-day vulnerabilities in the Ivanti Connect Secure VPN appliance.
- Details: Attackers achieved **unauthenticated Remote Code Execution (RCE)** by chaining two separate zero-day flaws. The vulnerable API endpoint identified was `POST /api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection`.
### Lateral Movement
- Details: Memory analysis revealed evidence of the attacker running commands such as `/bin/bash /tmp/5 2>&1|base64`. While specific lateral movement steps across the internal network are not detailed, the RCE allowed for initial command execution on the appliance itself. Subsequent observations indicated potential persistence mechanisms like injected shared libraries.
### Data Exfiltration/Impact
- Details: The article focuses heavily on the initial compromise mechanism derived from memory analysis, rather than detailed data exfiltration specifics. The primary impact detailed is **full unauthenticated command execution on the ICS VPN appliance**.
### Detection & Response
- Detection: The incident was detected through forensic analysis, primarily involving the collection and analysis of a memory sample from a suspected compromised VPN device.
- Response Actions: Volexity utilized memory forensics tools (Volcano) to reconstruct the full exploit chain, identify the precise attack commands, and confirm exploitation. Response efforts by affected parties included running the in-built Integrity Checking Tool, though attackers were observed modifying this tool to evade detection.
## Attack Methodology
- Initial Access: Chaining two unknown zero-day exploits in the Ivanti Connect Secure VPN resulting in RCE.
- Persistence: Post-exploitation activities included indications of malware installation and attempts to deploy injected shared libraries. Attackers were also observed modifying the local Integrity Checking Tool for evasion.
- Privilege Escalation: Not explicitly detailed, but RCE on a network appliance often grants high privileges, allowing system command execution.
- Defense Evasion: Modifying the device’s built-in Integrity Checking Tool was a specific defense evasion technique observed.
- Credential Access: Not explicitly detailed in the analyzed artifacts.
- Discovery: Attacker activity visible in memory included string searches for commands like `base64 -d`.
- Lateral Movement: Using RCE to execute bash scripts (e.g., running `/tmp/5`).
- Collection: Commands were likely executed to gather necessary data or tools, indicated by the post-exploitation commands found in memory.
- Exfiltration: Not explicitly detailed in the provided text.
- Impact: Unauthorized command execution on the edge device.
## Impact Assessment
- Financial: Not available.
- Data Breach: Not explicitly detailed, but RCE on a VPN gateway poses a high risk for data exposure.
- Operational: Compromise of the VPN appliance (a critical access point).
- Reputational: High due to the exploitation of widely used, externally facing infrastructure.
## Indicators of Compromise
- Network Indicators (Defanged): Remote IP address `98.160.48.170` observed in relation to the exploit staging (Source of attacks/C2).
- File Indicators: Shell script artifact located at `/tmp/5`.
- Behavioral Indicators: Use of the command `base64 -d` followed by execution of decoded payloads; POST request to the vulnerable API endpoint `POST /api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection`.
## Response Actions
- Containment: Not detailed specifically in the analysis summary, but implied action following detection.
- Eradication: Unknown/Not detailed for affected organizations.
- Recovery: Unknown/Not detailed for affected organizations. *Note: A key finding emphasized the importance of independently verifying system state due to tool modification.*
## Lessons Learned
- Memory forensics proved essential for confirming the exploit chain, identifying exact commands run by the attacker, and quickly developing Proof-of-Concept exploits while disk imaging occurred.
- Relying solely on native security tools (like the Ivanti Integrity Checking Tool) on a potentially compromised device is insufficient, as threat actors actively seek to subvert them. Independent verification via external forensic methods (like memory analysis) is crucial when dealing with zero-days.
- Speed of investigation matters; leveraging memory forensics provided a critical head start.
## Recommendations
- Implement robust, out-of-band memory acquisition and analysis procedures for all externally facing edge devices immediately following indicators of compromise.
- Enhance detection capabilities to specifically look for modifications to native system integrity checking tools.
- When investigating compromises involving zero-day exploitation on network appliances, prioritize memory collection over prolonged disk imaging to rapidly identify in-memory malware and execution patterns.