The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning government agencies to patch recently discovered Ivanti flaws immediately, as they’re being used in the wild to compromise vulnerable endpoints.
CISA’s alert warns Federal Civilian Executive Branch (FCEB) agencies of two flaws: CVE-2023-46805 (authentication bypass), and CVE-2024-21887 (code injection).
The vulnerabilities were found in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS), and allow threat actors to run arbitrary commands on the endpoints.
Thousands of victims
Since January 11 this year, a “sharp increase” in attacks was observed, CISA warned. Government agencies don’t seem to be exclusive targets, though, as researchers observed organizations being targeted indiscriminately. Both small businesses and some of the world’s largest organizations, operating in different industries including aerospace, banking, defense, and government, all fell prey so far.
“Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems,” the agency said.
Ivanti is yet to release a patch for the flaws, it was said. In the meantime, it released mitigation measures which include importing an XML file into affected products, thus making necessary reconfigurations.
Furthermore, CISA said businesses should first run an External Integrity Checker Tool to see if their endpoints were compromised. If any signs of foul play are found, the devices need to be disconnected, reset, and then have the XML file introduced. Also, FCEB agencies need to revoke and reissue certificates, reset admin credentials, store API keys, and reset local user passwords.
The zero-days were first spotted being abused in December last year, by a Chinese state-sponsored threat actor tracked as UTA0178. Since then, the group successfully breached more than 2,000 devices all over the world, and used the advantage to install passive backdoors and deploy web shells.
Via TheHackerNews