Security News As if two Ivanti vulnerabilities under exploit weren’t bad enough, now there are 3

[MuzzMelbourne]

Content source

https://arstechnica.com/security/2024/01/a-previously-unknown-worm-has-been-stealthily-targeting-linux-devices-for-a-year/

Mass exploitation began over the weekend for yet another critical vulnerability in widely used VPN software sold by Ivanti, as hackers already targeting two previous vulnerabilities diversified, researchers said Monday.

The new vulnerability, tracked as CVE-2024-21893, is what’s known as a server-side request forgery. Ivanti disclosed it on January 22, along with a separate vulnerability that so far has shown no signs of being exploited. Last Wednesday, nine days later, Ivanti said CVE-2024-21893 was under active exploitation, aggravating an already chaotic few weeks. All of the vulnerabilities affect Ivanti’s Connect Secure and Policy Secure VPN products.

As if two Ivanti vulnerabilities under exploit weren’t bad enough, now there are 3

Hackers looking to diversify, began mass exploiting a new vulnerability over the weekend.

arstechnica.com

 

[vtqhtr413]

CISA cautions against using hacked Ivanti VPN gateways even after factory resets

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed today that attackers who hack Ivanti VPN appliances using one of multiple actively exploited vulnerabilities may be able to maintain root persistence even after performing factory resets.

www.bleepingcomputer.com

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed today that attackers who hack Ivanti VPN appliances using one of multiple actively exploited vulnerabilities may be able to maintain root persistence even after performing factory resets.

Furthermore, they can also evade detection by Ivanti's internal and external Integrity Checker Tool (ICT) on Ivanti Connect Secure and Policy Secure gateways compromised using CVE-2023-46805, CVE-2024-21887, CVE-2024-22024, and CVE-2024-21893 exploits.

The four vulnerabilities' severity ratings range from high to critical, and they can be exploited for authentication bypass, command injection, server-side-request forgery, and arbitrary command execution.

CISA found that the Ivanti ICT failed to detect compromise while investigating multiple hacking incidents involving hacked Ivanti appliances. This happened because web shells that were found on systems had no file mismatches, according to Ivanti's ICT.

Chinese APT Developing Exploits to Defeat Patched Ivanti Users

Ivanti customers: soon, even if you've patched, you still might not be safe from relentless attacks from high-level Chinese threat actors.

www.darkreading.com

When it rains it pours, and for Ivanti customers it's been raining for months now. In the time since the company revealed two high-risk vulnerabilities affecting its Connect Secure, Policy Secure, and Zero Trust Access (ZTA) gateways (at that point, more than five weeks after early recorded exploits in the wild), two more bugs cropped up, and then a fifth. Attackers have taken advantage to such an extent that, within the US government at least, agencies were ordered to cut the cord entirely on Ivanti's products.

Once-delayed patches finally began to roll out in late January, but affected customers are not out of the woods yet. Research published by Mandiant this week indicates that high-level Chinese hackers are continuing to juice Ivanti for all it's worth, developing new and more advanced methods of intrusion, stealth, and persistence.