Active Exploitations on Ivanti Secure Gateways Demand Immediate Attention

CISA alerts on critical Ivanti vulnerabilities. Urges immediate patching and assuming all credentials compromised.

Critical Advisory:

**Critical Security Alert: Active Exploitations in Ivanti Gateways Demand Immediate Action**

The Cybersecurity and Infrastructure Security Agency (CISA), alongside Volexity, Ivanti, and Mandiant, and in coordination with international and federal agencies such as the FBI, MS-ISAC, ASD's ACSC, NCSC-UK, the Canadian Centre for Cyber Security, NCSC-NZ, and CERT-NZ, is issuing an urgent advisory on the exploitation of critical vulnerabilities within Ivanti Connect Secure and Ivanti Policy Secure gateways. These vulnerabilities, identified as being actively exploited, underscore a pressing cybersecurity threat on a global scale.

Attackers have been found bypassing Ivanti’s Integrity Checker Tool (ICT), exploiting vulnerabilities to gain unauthorized access and control over affected systems. The vulnerabilities—CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893—affect all supported versions, enabling cyber adversaries to bypass authentication protocols, manipulate requests, and execute commands with elevated privileges.

In-depth investigations, coupled with CISA’s independent evaluations, reveal the inadequacy of Ivanti's ICT in detecting such compromises, highlighting the potential for adversaries to maintain undetected, root-level access even post-factory resets.

This advisory mandates network defenders to treat all credentials within Ivanti VPN appliances as compromised and to adopt the recommended detection methods, IOCs, and Ivanti’s latest patching guidance. In the event of a suspected compromise, a detailed examination of logs and artifacts for malicious activities is crucial, adhering to the outlined incident response recommendations.

Given the advanced tactics observed and the possibility of threat actors achieving and sustaining rootkit-level persistence, organizations are strongly advised to reevaluate the risks of continuing the operation of Ivanti Secure Gateways in their networks.

Following the gravity of these vulnerabilities, CISA enacted Emergency Directive 24-01, compelling immediate action from Federal Civilian Executive Branch agencies. Similarly, the Canadian Centre for Cyber Security has issued a corresponding alert, emphasizing the urgency for IT professionals and managers to stay informed and vigilant.

Employing the MITRE ATT&CK® framework, this advisory delineates the exploitation tactics and techniques, with initial exploitations traced back to Volexity's December 2023 reports. Despite Ivanti’s initial mitigation efforts, subsequent adaptations by attackers have led to the discovery of additional vulnerabilities, stressing the imperative need for continuous vigilance and proactive defense measures.

CodeLock's Advanced Anomaly Detection and Integrity Verification Features could have proactively identified unusual patterns and integrity discrepancies, offering an early warning against these exploitation attempts, thereby enhancing the security posture against such sophisticated threats. In response to these evolving tactics, Ivanti disclosed additional vulnerabilities, highlighting the critical need for network defenders to remain vigilant and proactive in their security measures.


For a full breakdown visit: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b