Full Report
Important: If your organization uses Ivanti Connect Secure VPN and you have not applied the mitigation, then please do that immediately! Organizations should immediately review the results of the built-in Integrity Check Tool for log entries indicating mismatched or new files. As of version 9.1R12, Ivanti started providing a built-in Integrity Checker Tool that can be run as a periodic or scheduled scan. Volexity has observed it successfully detecting the compromises described in this post across impacted organizations. Last week, Ivanti also released an updated version of the external Integrity Checker Tool that can be further used to check and verify systems. On January 10, 2024, Volexity publicly shared details of targeted attacks by UTA0178 exploiting two zero-day vulnerabilities (CVE-2024-21887 and CVE-2023-46805) in Ivanti Connect Secure (ICS) VPN appliances. On the same day, Ivanti published a mitigation that could be applied to ICS VPN appliances to prevent exploitation of these […] The post Ivanti Connect Secure VPN Exploitation Goes Global appeared first on Volexity.
Analysis Summary
# Incident Report: Widespread Exploitation of Ivanti Connect Secure VPN Zero-Days
## Executive Summary
Between December 2023 and early January 2024, widespread exploitation of two zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) in Ivanti Connect Secure (ICS) VPN appliances was observed, initially linked to threat actor UTA0178. Exploitation rapidly broadened, affecting over 1,700 global devices across critical sectors. The activity involved initial access via the vulnerabilities, likely leading to persistence via webshells like a variant of GIFTEDVISITOR, necessitating immediate mandatory patching and forensic investigation by affected organizations.
## Incident Details
- Discovery Date: Early observations reported on 2023-12-03; Public disclosure on 2024-01-10.
- Incident Date: Earliest exploitation observed 2023-12-03.
- Affected Organization: Multiple organizations globally (over 1,700 devices identified by scan methodology).
- Sector: Global government/military, telecommunications, defense contractors, technology, banking/finance, consulting, aerospace/aviation/engineering.
- Geography: Worldwide (Globally distributed).
## Timeline of Events
### Initial Access
- Date/Time: Earliest observed exploitation on **2023-12-03**.
- Vector: Authentication Bypass (**CVE-2023-46805**) combined with Command Injection (**CVE-2024-21887**) in Ivanti Connect Secure VPN appliances.
- Details: Initial actor UTA0178 was observed exploiting the vulnerabilities. On 2024-01-11, widespread scanning and exploitation by additional threat actors (including evidence of UTA0188 activity) commenced.
### Lateral Movement
- Details: Compromised devices were found to be backdoored with a slightly different variant of the **GIFTEDVISITOR webshell**, indicating attackers established persistence post-exploitation.
### Data Exfiltration/Impact
- Impact: The nature of the initial compromise (command injection) suggests unauthorized system access and potential data theft, though specific confirmed exfiltrated data is not detailed in the summary provided. The impact is severe due to the breadth of global compromise affecting critical infrastructure.
### Detection & Response
- Detection: Volexity observed increased scanning and received reports from multiple organizations regarding mismatched files detected by the built-in ICS VPN integrity scanner, which flagged compromises starting around **2024-01-11**.
- Response Actions: Ivanti released a **mitigation** on 2024-01-10. Volexity urged immediate application of this mitigation and recommended running the updated **Integrity Checker Tool** for detection.
## Attack Methodology
- Initial Access: Exploitation of Chained Zero-Days (CVE-2023-46805 & CVE-2024-21887) on Ivanti ICS VPNs.
- Persistence: Installation of webshells, including variants of **GIFTEDVISITOR**.
- Privilege Escalation: Not explicitly detailed, but the command injection vulnerability inherently allows execution with privileges afforded by the compromised service/user, likely leading to elevated local access.
- Defense Evasion: Use of zero-day exploits to bypass perimeter security. The discovery relied on file integrity checks rather than standard network monitoring for initial detection.
- Credential Access: Not explicitly detailed, but common post-exploitation activity following webshell placement.
- Discovery: Not explicitly detailed, but attackers likely performed internal reconnaissance after establishing webshell access.
- Lateral Movement: Not explicitly detailed beyond persistent backdoor access.
- Collection: Not explicitly detailed, but implied due to the high-value targets identified.
- Exfiltration: Not explicitly detailed.
- Impact: Unauthorized system command execution and maintenance of persistent backdoors.
## Impact Assessment
- Financial: Not quantified, but likely significant given the impact across Fortune 500 companies and critical sectors.
- Data Breach: High risk; organizations across nearly all economic sectors are implicated.
- Operational: Potential for significant disruption in government, defense, and core business operations given the affected scope.
- Reputational: High, as the incident involves vulnerabilities affecting critical security infrastructure appliances worldwide.
## Indicators of Compromise
- Network Indicators: (N/A - Details not provided, likely restricted IOCs).
- File Indicators: Suspicious or mismatched files reported by Ivanti Integrity Checker Tool; discovery of **GIFTEDVISITOR webshell variants**.
- Behavioral Indicators: Observed unauthorized HTTP requests to specific file paths on the ICS VPN appliance that are not publicly documented (as noted on 2024-01-11).
## Response Actions
- Containment Measures: Immediate application of the **Ivanti-provided mitigation** for CVE-2023-46805 and CVE-2024-21887.
- Eradication Steps: Removal of identified webshells (e.g., GIFTEDVISITOR variants) and forensic investigation following any Integrity Tool hit, as per prior Volexity guidance.
- Recovery Actions: Patching the underlying ICS VPN appliance, and comprehensive system auditing post-mitigation deployment.
## Lessons Learned
- Zero-day vulnerabilities in externally facing appliances, like VPNs, offer a high-impact, low-effort initial access vector for widespread exploitation.
- Mitigation mitigates future exploitation but does not remediate existing compromises; post-exploitation forensics are critical.
- The built-in Integrity Checker Tool proved effective in detecting post-exploitation artifacts (mismatched files) after the fact.
- Exploitation activity diversified quickly, with multiple threat actors moving in after initial public reporting.
## Recommendations
- Immediately apply the Ivanti mitigation for the authentication bypass and command injection vulnerabilities.
- Run the Ivanti Integrity Checker Tool immediately on all ICS VPN devices to check for signs of prior compromise.
- If the Integrity Checker Tool returns hits, follow established forensic response procedures to fully eradicate persistent backdoors.