Ivanti has flagged multiple vulnerabilities affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure and Ivanti Neurons for Zero Trust Access (ZTA) gateways. These include three zero-day vulnerabilities, authentication bypass (CVE-2023-46805), command injection (CVE-2024-21887) and server-side request forgery (CVE-2024-21893) vulnerabilities. There are reports that the vulnerabilities are actively exploited by threat actors.
The vulnerabilities are as follows:
- CVE-2023-46805: An authentication bypass vulnerability in the web component of vulnerable versions of Ivanti Connect Secure and Ivanti Policy Secure may allow a remote attacker to access restricted resources by bypassing control checks.
- CVE-2024-21887: A command injection vulnerability in web components of vulnerable versions of Ivanti Connect Secure and Ivanti Policy Secure may allow an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
- CVE-2024-21888: A privilege escalation vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy may allow an attacker to elevate privileges to that of an administrator.
- CVE-2024-21893: A server-side request forgery vulnerability in the Security Assertion Markup Language (SAML) component of Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA may allow an unauthenticated attacker to access certain restricted resources.
When chained, the zero-day vulnerabilities allow attackers to move laterally within a target's network, exfiltrate data, and establish persistent system access by deploying backdoors.
The following products are affected by the vulnerabilities:
- Ivanti Connect Secure versions 9.x and 22.x
- Ivanti Policy Secure versions 9.x and 22.x
Containment Actions
Organisations running impacted systems are advised to perform the following immediate containment and investigative actions:
- Disconnect and isolate the impacted appliance(s) from the networks and any enterprise resources to the greatest degree possible.
- Run the external Integrity Checker Tool (ICT) to identify potential signs of compromise. Ivanti recommends running the external ICT as there have been observed attempts by threat actors to evade detection by manipulating Ivanti's internal (built-in) ICT.
- Provide the results to Ivanti support for further review. Ivanti will decide if the appliance is compromised and recommend next steps. Ivanti can also provide assistance with decryption and capturing a forensic / memory image from the impacted appliance(s).
- Perform a forensic review of the captured image(s) to identify additional signs of compromise or malicious activities.
- Review available logs from the appliance(s), including:
- VPN device logs - ensures the VPN logs can be viewed on the web or exported for offline analysis. This can be accessed via System > Log/Monitoring from the administrative interface.
- Unauthenticated Request logging - ensures unauthenticated web requests made to the Connect Secure VPN appliance(s) are recorded in the user logs. This can be configured via System > Log/Monitoring > User Access > Select Events to Log.
- Syslog forwarding - ensures appliance logs are available offline from the appliance(s) and cannot be modified. It is recommended that the following log types be configured for SYSLOG forwarding:
Remediation Measures
Organisations running impacted systems are advised to perform the following remediation measures before bringing them into production:
- Preserve a forensic image from the impacted appliance(s) for forensic analysis and investigative purposes.
- Backup and export the configuration settings of the impacted appliance(s).
- When upgrading, any exploited or added files on the device will not persist through the upgrade.
- Future rollbacks would make an organisation vulnerable if restoring to the compromised version. Two upgrades remove the compromised version - as only one rollback version is stored on the appliance.
- Download and apply the official patch immediately.
- If a previous mitigation (XML file) was applied before the patch, it can be removed once the patch has been applied. The mitigation removal XML process can be found in the download portal.
- If a patch is not yet available for a vulnerable appliance,
- Apply the mitigation patch (via importing the mitigation.release.20240126.5.xml file) after the upgrade has been completed. Do note that applying the XML file may impact functionality and features of an appliance, including SAML authentication.
- Stop the push of configurations to appliances once the XML file is in place, and do not resume pushing configurations until formal patches have been issued by Ivanti. This includes any configurations that are pushed using Pulse One and/or nSA. Pushing configurations to an appliance will stop the short-term mitigation from functioning.
- Restore the device configuration.
- Revoke or rotate any device-specific secrets stored on the appliance(s) prior to compromise.
- Revoke and reissue any connected or exposed certificates, keys, and passwords.
- Reset the admin enable password.
- Reset any stored application programming interface (API) keys.
- Reset the password of any local user defined on the gateway, including service accounts used for third-party integrated authentication configurations.
- If any credential stealers are identified on an appliance, reset the passwords for any users that authenticated to the appliance(s) during the period when the malware was active.
Hardening Measures
Besides aligning to the best security configuration practices, organisations can consider applying the following recommendations to further harden their systems:
- Restrict egress communications from the CS VPN appliance(s). This can mitigate the impact of command-and-control (C2) communications from any backdoors that are present on an appliance.
- Disable administrative access to the CS VPN appliance(s) from the external (internet-facing) port. Administrator > Admin Realms > Select Realm > Authentication Policy > Source IP > Ensure that “Enable administrators to sign in on the External Port” is not enabled.
- Minimise the scope of internal connectivity paths that could be leveraged for lateral movement from the management interface of CS VPN appliance(s).
- If the appliance(s) are configured with a one-arm topology, the following hardening measures should be considered:
- Enable Source IP Based Restrictions for the Administrator Realm. Administrators > Admin Realms > Admin Users > Authentication Policy > Source IP
- Enable MFA for the administrator sign-in URL.
- Configure the Management Port to allow administrators to sign in and disable administrators to sign in on the Internal Port. Administrators > Admin Realms > Admin Users > Authentication Policy > Administrator sign in ports
- Disable Session Roaming, which can mitigate the impact of a stolen session cookie being reused by a different IP address that does not correlate to the initial user who logged in.
- Users: Users > User Roles > > General > Session Options: Roaming Session, select "Disabled"
- Admins: Administrators > Admin Roles >> General > Session Options: Roaming Session, select "Disabled"
- Enforce Session Lifetime Limits to reduce the risk of a stolen session being continuously reused by an attacker.
- Users: Users > User Roles >> General > Session Options: Session lifetime lengths
- Admins: Administrators > Admin Roles > > General > Session Options: Session lifetime lengths
- Do not allow Persistent Sessions to reduce the risk of a stolen session being continuously reused by an attacker.
- Users: Users > User Roles >> General > Session Options: Persistent Session, select "Disabled"
- Admins: Administrators > Admin Roles >> General > Session Options: Persistent Session, select "Disabled"
- Enable “Remove Browser Session Cookies” to reduce the risk of stealing browser session cookies.
- Users: Users > User Roles >> General > Session Options: Remove Browser Session Cookie, select "Enabled"
- Admins: Administrators > Admin Roles >> General > Session Options: Remove Browser Session Cookie, select "Enabled"
- Enable “HTTP Only Device Cookie” to reduce the risk of cookie stealing.
- Users: Users > User Roles >> General > Session Options: HTTP Only Device Cookie, select "Enabled"
- Admins: Administrators > Admin Roles >> General > Session Options: HTTP Only Device Cookie, select "Enabled
Host and Network IOCs
Possible host and network Indicators of Compromise (IOCs) associated with the active campaign are shown in the tables below. Network administrators are advised to configure their firewall rules to block connections to the following network IOCs associated with the campaign while reviewing any prior connections and scan for the presence of the host-based IOCs in their systems.
Network-based Indicators
Network | Indicator | Type | Description |
symantke[.]com | Domain | WARPWIRE C2 server | symantke[.]com |
miltonhouse[.]nl | Domain | WARPWIRE variant C2 server | miltonhouse[.]nl |
entraide-internationale[.]fr | Domain | WARPWIRE variant C2 server | entraide-internationale[.]fr |
api.d-n-s[.]name | Domain | WARPWIRE variant C2 server | api.d-n-s[.]name |
cpanel.netbar[.]org | Domain | WARPWIRE variant C2 server | cpanel.netbar[.]org |
clickcom[.]click | Domain | WARPWIRE variant C2 server | clickcom[.]click |
clicko[.]click | Domain | WARPWIRE variant C2 server | clicko[.]click |
duorhytm[.]fun | Domain | WARPWIRE variant C2 server | duorhytm[.]fun |
line-api[.]com | Domain | WARPWIRE variant C2 server | line-api[.]com |
areekaweb[.]com | Domain | WARPWIRE variant C2 server | areekaweb[.]com |
ehangmun[.]com | Domain | WARPWIRE variant C2 server | ehangmun[.]com |
secure-cama[.]com | Domain | WARPWIRE variant C2 server | secure-cama[.]com |
146.0.228[.]66 | IPv4 | WARPWIRE variant C2 server | 146.0.228[.]66 |
159.65.130[.]146 | IPv4 | WARPWIRE variant C2 server | 159.65.130[.]146 |
8.137.112[.]245 | IPv4 | WARPWIRE variant C2 server | 8.137.112[.]245 |
91.92.254[.]14 | IPv4 | WARPWIRE variant C2 server | 91.92.254[.]14 |
186.179.39[.]235 | IPv4 | Mass exploitation activity | 186.179.39[.]235 |
50.215.39[.]49 | IPv4 | Post-exploitation activity | 50.215.39[.]49 |
45.61.136[.]14 | IPv4 | Post-exploitation activity | 45.61.136[.]14 |
Host-Based Indicators
Filename | MD5 | Description |
health[.]py | 3045f5b3d355a9ab26ab6f44cc831a83 | CHAINLINE web shell |
compcheckresult.cgi | 3d97f55a03ceb4f71671aa2ecf5b24e9 | LIGHTWIRE web shell |
lastauthserverused.js | 2ec505088b942c234f39a37188e80d7a | WARPWIRE credential harvester variant |
lastauthserverused.js | 8eb042da6ba683ef1bae460af103cc44 | WARPWIRE credential harvester variant |
lastauthserverused.js | a739bd4c2b9f3679f43579711448786f | WARPWIRE credential harvester variant |
lastauthserverused.js | a81813f70151a022ea1065b7f4d6b5ab | WARPWIRE credential harvester variant |
lastauthserverused.js | d0c7a334a4d9dcd3c6335ae13bee59ea | WARPWIRE credential harvester |
lastauthserverused.js | e8489983d73ed30a4240a14b1f161254 | WARPWIRE credential harvester variant |
category[.]py | 465600cece80861497e8c1c86a07a23e | FRAMESTING web shell |
logo.gif | N/A — varies | Configuration and cache dump or CAV web server log exfiltration |
login.gif | N/A — varies | Configuration and cache dump |
[a-fA-F0-9]{10}\.css | N/A — varies | Configuration and cache dump |
visits[.]py | N/A — varies | WIREFIRE web shell |
Report a Compromise
Singapore organisations affected by these vulnerabilities should report to SingCERT if any evidence of compromise is found. A report can be made via our Incident Reporting Form at https://go.gov.sg/singcert-incident-reporting-form.
More information is available here: