On Wednesday, cybersecurity researchers at Volexity issued a warning, revealing that suspected Chinese nation-state hackers are currently exploiting two unauthenticated remote zero-day vulnerabilities in Ivanti Connect Secure VPN devices.
Zero-days exploited in attacks
The vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, impact fully patched Internet-facing Ivanti Connect Secure VPN appliances (previously known as Pulse Secure) and were discovered during in-the-wild zero-day exploitation.
Ivanti, a company grappling with significant security challenges, has issued pre-patch mitigations for the recent vulnerabilities. However, they have announced that comprehensive fixes will be rolled out on a staggered schedule starting from January 22.
Ivanti emphasized, “We are offering mitigation measures now, as the patch is in development, to prioritize the best interest of our customers. It is crucial that you promptly take action to ensure full protection.”
In a research report, Volexit revealed that it detected the zero-days upon observing suspicious lateral movement within the network of one of its customers. Further investigation revealed that an attacker was deploying webshells on various internal and external-facing web servers.
The company identified the source of the infections, linking them to the Ivanti Connect Secure VPN appliance of the victim company. It was discovered that the logs had been erased, and logging had been disabled.
“Upon further examination of historical network traffic from the device, Volexity identified questionable outbound and inbound communication from its management IP address. The company found evidence of suspect activity originating from the device as early as December 3, 2023,” reported Volexity.
Volexity collaborated closely with Ivanti to acquire disk and memory images from the affected devices, leading to the discovery of the exploit chain employed by the attacker.
“[We] found and chained two distinct zero-day exploits for unauthenticated remote code execution (RCE). Volexity recreated two proof-of-concept exploits through forensic memory analysis, enabling full unauthenticated command execution on the ICS VPN appliance.”
“By combining these two vulnerabilities, attackers can effortlessly execute commands on the system. In this specific incident, the exploits were leveraged by the attacker to pilfer configuration data, alter existing files, download remote files, and establish a reverse tunnel from the ICS VPN appliance,” noted Volexity.
“The attacker used the gathered information and credentials to pivot internally, obtaining unfettered access to a few systems on the network,” cautioned Volexity.