Full Report
On January 15, 2024, Volexity detailed widespread exploitation of Ivanti Connect Secure VPN vulnerabilities CVE-2024-21887 and CVE-2023-46805. In that blog post, Volexity detailed broader scanning and exploitation by threat actors using still non-public exploits to compromise numerous devices. The following day, January 16, 2024, proof-of-concept code for the exploit was made public. Subsequently, Volexity has observed an increase in attacks from various threat actors against Ivanti Connect Secure VPN appliances beginning the same day. Additionally, Volexity has continued its investigation into activity conducted by UTA0178 and made a few notable discoveries. The first relates to the GIFTEDVISITOR webshell that Volexity scanned for, which led to the initial discovery of over 1,700 compromised Ivanti Connect Secure VPN devices. On January 16, 2024, Volexity conducted a new scan for this backdoor and found an additional 368 compromised Ivanti Connect Secure VPN appliances, bringing the total count of systems infected by GIFTEDVISITOR to […] The post Ivanti Connect Secure VPN Exploitation: New Observations appeared first on Volexity.
Analysis Summary
# Incident Report: Widespread Exploitation of Ivanti Connect Secure VPN
## Executive Summary
Beginning around January 15, 2024, threat actors began widespread exploitation of Ivanti Connect Secure VPN appliances leveraging newly disclosed vulnerabilities (CVE-2024-21887 and CVE-2023-46805). Threat actors, including the APT group UTA0178 and criminal entities, deployed backdoors (GIFTEDVISITOR) and malware, including XMRig miners and Rust-based payloads. Volexity identified over 2,100 compromised devices, noting that initial mitigation efforts were sometimes reversed by importing old configuration backups, creating a persistent vulnerability state.
## Incident Details
- Discovery Date: January 15, 2024
- Incident Date: Beginning January 15, 2024 (with evidence of pre-existing compromise from December 2023)
- Affected Organization: Numerous global organizations (Widespread)
- Sector: Various (Implied IT/Security infrastructure reliance)
- Geography: Global
## Timeline of Events
### Initial Access
- Date/Time: Beginning January 15, 2024 (with prior activity in December 2023)
- Vector: Exploitation of Ivanti Connect Secure VPN vulnerabilities CVE-2024-21887 and CVE-2023-46805.
- Details: Attackers utilized non-public exploits initially, followed by widespread exploitation after Proof-of-Concept (PoC) code became public on January 16, 2024.
### Lateral Movement
- Details: UTA0178 was observed stealing configuration data, web logs, and database files related to sessions and accounts from compromised appliances. Additionally, UTA0178 modified the built-in Integrity Checker Tool to always report a clean status, potentially obscuring further internal activity or data staging.
### Data Exfiltration/Impact
- Details: Attackers collected configuration data, web logs, and database files. Criminal actors deployed XMRig cryptocurrency miners. A Rust-based payload was also observed being downloaded. Over 2,100 systems were found infected with the GIFTEDVISITOR webshell.
### Detection & Response
- Detection: Volexity used scanning for the GIFTEDVISITOR webshell to identify initial compromises, followed by targeted scans on January 16, 2024, which identified an additional 368 systems. Further analysis of older compromises revealed UTA0178 tradecraft.
- Response: Organizations were advised to correctly apply Ivanti mitigations *after* importing configuration backups to prevent re-compromise. The external Integrity Checker Tool was emphasized for proactive scanning.
## Attack Methodology
- Initial Access: Exploitation of CVE-2024-21887 and CVE-2023-46805.
- Persistence: Deployment of the **GIFTEDVISITOR** webshell. UTA0178 modified the native Integrity Checker Tool to mask file changes.
- Privilege Escalation: Not explicitly detailed, but initial exploitation likely granted high-level access needed for webshell deployment and configuration modification.
- Defense Evasion: Modification of the internal Integrity Checker Tool (`scanner.py`) to prevent detection of file modifications within the system.
- Credential Access: Stealing database files associated with accounts and session data.
- Discovery: Implied reconnaissance to identify configuration files and sensitive system data.
- Lateral Movement: Stealing configuration files, web logs, and database files to conduct further data collection or staging.
- Collection: Gathering configuration files, web logs, and database files.
- Exfiltration: Staging exfiltrated data in various Internet-accessible folders for remote download.
- Impact: Cryptocurrency mining (XMRig deployment) and data theft.
## Impact Assessment
- Financial: Not quantified, but implied costs associated with cryptocurrency mining and incident response/remediation.
- Data Breach: Configuration data, web logs, and database files associated with user accounts and sessions were stolen.
- Operational: Potential system downtime during remediation; cryptocurrency mining impacting device performance.
- Reputational: Not detailed, but widespread exploitation implies significant reputational risk for affected entities.
## Indicators of Compromise
- Network Indicators (Defanged):
- Miner Pool: `auto.c3pool[.]org:19999`
- Malicious URLs for miners/payloads: `hxxp://192.252.183[.]116:8089/u/...`
- Cloud storage download URLs: `hxxp://abode-dashboard-media.s3.ap-south-1.amazonaws[.]com/...`, etc.
- File Indicators:
- Webshell: GIFTEDVISITOR
- Miner: XMRig
- Payload: Rust-based malware
- Behavioral Indicators:
- Modification of `/home/venv3/lib/python3.6/site-packages/scanner-0.1-egg/scanner/scripts/scanner.py`
- Inbound connections to download XMRig components or Rust payload.
## Response Actions
- Containment: Organizations were urged to apply Ivanti mitigations immediately.
- Eradication: Unknown specific actions, but necessitated removal of GIFTEDVISITOR and associated malware/miners.
- Recovery: Restoring systems and re-applying mitigations, critically ensuring mitigations are applied *after* configuration backups are imported.
## Lessons Learned
- Mitigation Order is Crucial: Applying security mitigations before restoring configurations negates the security posture, leading to re-compromise.
- Persistence/Evasion Techniques: Advanced threat actors like UTA0178 actively target and modify system tools (like the Integrity Checker) to evade post-incident investigation attempts.
- Value of External Tools: External integrity checking tools must be run proactively and systematically, as internal checks may be compromised.
## Recommendations
- Immediately apply vendor-released mitigations for the Ivanti vulnerabilities.
- **Critically:** Ensure that security mitigations are applied **after** any configuration backup files are imported onto newly deployed or restored Ivanti Connect Secure VPN appliances.
- Proactively run the external Ivanti Integrity Checker Tool to audit all appliances, regardless of initial vulnerability mitigation status.
- Prepare for patching as soon as official vendor patches become available.