Ivanti

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed today that attackers who hack Ivanti VPN appliances using one of multiple actively exploited vulnerabilities may be able to maintain root persistence even after performing factory resets.

Furthermore, they can also evade detection by Ivanti's internal and external Integrity Checker Tool (ICT) on Ivanti Connect Secure and Policy Secure gateways compromised using CVE-2023-46805CVE-2024-21887CVE-2024-22024, and CVE-2024-21893 exploits.

The four vulnerabilities' severity ratings range from high to critical, and they can be exploited for authentication bypass, command injection, server-side-request forgery, and arbitrary command execution.
  • CISA found that the Ivanti ICT failed to detect compromise while investigating multiple hacking incidents involving hacked Ivanti appliances. 
  • This happened because web shells that were found on systems had no file mismatches, according to Ivanti's ICT.
Additionally, forensic analysis revealed that the attackers covered their tracks by overwriting files, time-stomping files, and re-mounting the runtime partition to restore the compromised appliance to a "clean state."

This shows that ICT scans were not always reliable in detecting previous compromises and can create a false sense of security that the device is free of any compromise, according to CISA. Ivanti has now released an updated external Integrity Checker Tool to resolve the issues in their previous scanner.

Furthermore, the U.S. cybersecurity agency could independently confirm in a test lab that more than Ivanti's ICT is needed to detect compromise adequately since threat actors might gain root-level persistence between factory resets.

"During multiple incident response engagements associated with this activity, CISA identified that Ivanti's internal and previous external ICT failed to detect compromise," CISA warned on Thursday.

"In addition, CISA has conducted independent research in a lab environment validating that the Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets."

However, CISA does provide federal agencies with guidance on how to proceed after discovering signs of compromise on Ivanti VPN appliances on their networks.

The authoring organizations encourage network defenders to (1) assume that user and service account credentials stored within the affected Ivanti VPN appliances are likely compromised, (2) hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory, (3) run Ivanti’s most recent external ICT, and (4) apply available patching guidance provided by Ivanti as version updates become available. If a potential compromise is detected, organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory. — CISA

CISA: "Consider the significant risk"

Today, in response to CISA's advisory, Ivanti said that remote attackers attempting to gain root persistence on an Ivanti device using the method CISA found would lose connection to the Ivanti Connect Secure appliance.
"Ivanti and our security partners are not aware of any instances of successful threat actor persistence following implementation of the security updates and factory resets (hardware)/ new build (virtual) recommended by Ivanti," Ivanti said.
Despite the company's assurances, CISA urged all Ivanti customers today to "consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment" [CISA's emphasis].
  • In other words, CISA warns it may still not be safe to use previously compromised Ivanti Connect Secure and Ivanti Policy Secure devices even after cleaning and performing a factory reset.
On February 1st, in response to the "substantial threat" and increased risk of security breaches posed by hacked Ivanti VPN appliances, CISA ordered all federal agencies to disconnect all Ivanti Connect Secure and Ivanti Policy Secure instances from their networks within 48 hours,  
The agencies were mandated to export configurations, factory reset them, rebuild them using patched software versions released by Ivanti, reimport the backed-up configs, and revoke all connected or exposed certificates, keys, and passwords to be able to bring the isolated devices back online.

Federal agencies who found compromised Ivanti products on their networks were told to assume that all linked domain accounts were compromised and disable joined/registered devices (in cloud environments) or perform a double password reset for all accounts and revoke Kerberos tickers and cloud tokens (in hybrid setups).

Nation-state actors have exploited some of the security vulnerabilities mentioned by CISA in today's advisory as zero-days before being leveraged at a larger scale by a broad range of threat actors to drop multiple custom malware strains.

Another Connect Secure zero-day tracked as CVE-2021-22893 was used by suspected Chinese threat groups in 2021 to breach dozens of government, defense, and financial organizations across the United States and Europe.

Update February 29, 19:57 EST: Revised story and title to make it clear the advisory refers to Ivanti Connect Secure and Ivanti Policy Secure VPN appliances.

Related Articles:

FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks

CISA orders federal agencies to disconnect Ivanti VPN appliances by Saturday

CISA: Critical Ivanti auth bypass bug now actively exploited

Russian hackers shift to cloud attacks, US and allies warn

US govt shares cyberattack defense tips for water utilities