SOCRadar® Cyber Intelligence Inc. | Attackers Exploit Ivanti Connect Secure Zero-Day Vulnerabilities to Deploy Webshells (CVE-2023-46805, CVE-2024-21887)
Home

Resources

Blog
Jan 11, 2024
13 Mins Read

Attackers Exploit Ivanti Connect Secure Zero-Day Vulnerabilities to Deploy Webshells (CVE-2023-46805, CVE-2024-21887)

[Update] January 31, 2024: Read under “Ivanti Made Patches Available for Connect Secure Zero-Day Vulnerabilities While New Threats Arise.”

[Update] January 23, 2024: “Ivanti Issued a Warning, Highlighting Critical Race Condition”

[Update] January 19, 2024: “CISA Emergency Directive Urges Immediate Action Against Ivanti Connect Secure Zero-Day Vulnerabilities”

[Update] January 16, 2024: Read under “Ivanti Connect Secure Zero-Days Experience a Surge in Exploitation: Global Impact on Organizations”

In mid-December 2023, researchers at Volexity identified suspicious activity within a client’s network. Their investigation uncovered the deployment of webshells on various internal and external web servers, traced back to the organization’s Ivanti Connect Secure (ICS) VPN appliance.

Upon inspecting the Ivanti Connect Secure VPN appliance, researchers discovered wiped logs and disabled logging, and that the suspicious activity dated back to December 3, 2023.

Subsequent findings confirmed the use of an exploit chain, leveraging zero-day vulnerabilities identified as CVE-2023-46805 and CVE-2024-21887. Exploiting these vulnerabilities enabled the attacker to bypass authentication and achieve Remote Code Execution (RCE).

Details of Ivanti Connect Secure Zero-Day Vulnerabilities (CVE-2023-46805, CVE-2024-21887)

CVE-2023-46805 (CVSS Score: 8.2, High): It is an authentication bypass vulnerability in the web component of Ivanti Connect Secure 9.x, 22.x, and Ivanti Policy Secure. It enables remote attackers to access restricted resources by bypassing control checks.

SOCRadar Vulnerability Intelligence: CVE-2023-46805

SOCRadar Vulnerability Intelligence: CVE-2023-46805

CVE-2024-21887 (CVSS Score: 9.1, Critical): Web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure contain this command injection vulnerability, which allows an authenticated administrator to execute arbitrary commands via crafted requests.

SOCRadar Vulnerability Intelligence: CVE-2024-21887

SOCRadar Vulnerability Intelligence: CVE-2024-21887

When used in an exploit chain, these vulnerabilities enable attackers to craft malicious requests and execute arbitrary commands without authentication.

In the case observed by the researchers, the attacker utilized the zero-day vulnerabilities to steal configuration data, modify files, download remote files, and reverse tunnel from the Ivanti Connect Secure VPN appliance.

Ivanti says mitigation is available for CVE-2023-46805 and CVE-2024-21887, while a patch is in development, scheduled for staggered release (first version by the week of January 22, final version by the week of February 19). The company advises urgent action to mitigate these vulnerabilities. To access the mitigation guide, you can visit the official Ivanti advisory here.

The Cybersecurity and Infrastructure Security Agency (CISA) has also issued an alert, stating that it has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. The agency warns that these types of vulnerabilities pose significant risks to the federal enterprise; organizations are expected to patch these vulnerabilities by the due date of January 31, 2024.

You can monitor digital assets and identify vulnerabilities that are affecting your organization through SOCRadar’s Attack Surface Management (ASM) module. The Company Vulnerabilities page on ASM includes a CISA KEV Check feature for easy identification of KEV Catalog-listed vulnerabilities affecting your systems.

SOCRadar ASM/Company Vulnerabilities

SOCRadar ASM/Company Vulnerabilities

CISA Emergency Directive Urges Immediate Action Against Ivanti Connect Secure Zero-Day Vulnerabilities

CISA has issued Emergency Directive ED 24-01 to emphasize the active threat posed by vulnerabilities affecting Ivanti. FCEB agencies are directed to implement mitigations, report compromises, and provide detailed reports to the agency. While the directive is specific to FCEB organizations, CISA advises all organizations to address these Ivanti vulnerabilities.

Further alarming is that the SOCRadar Dark Web Team discovered a hacker forum post offering details on these vulnerabilities for $30,000. The actor claims the Python-based exploit only requires an IP address for execution.

The Attack Scheme Exploiting Ivanti Connect Secure Zero-Days

Researchers detected the attacker manipulating legitimate Ivanti Connect Secure components to bypass the Integrity Checker Tool. While predominantly relying on Living Off the Land (LOTL) techniques for stealth, the attacker deployed webshells, proxy utilities, made file modifications, and harvested credentials.

Malicious files found on the compromised Ivanti Connect Secure VPN appliance included a modified Perl module (DSLogConfig.pm), a Perl script (sessionserver.pl, sessionserver.sh) for remounting the filesystem with read/write access, a backdoored component enabling command execution (compcheckresult.cgi), and a modified JavaScript file (lastauthserverused.js) acting as a keylogger.

DSLogConfig.pm executed sessionserver.pl, which, in turn, ran sessionserver.sh, restoring mount settings. Sessionserver.sh modified compcheckresult.cgi, inserting a webshell and evading the Integrity Checker Tool during scans.

Compcheckresult.cgi allowed RCE with proper parameters. Lastauthserverused.js acted as a keylogger, sending harvested credentials to a remote URL. The attacker, armed with information and credentials, pivoted within the network, eventually gaining unrestricted access.

After breaching via the Ivanti Connect Secure VPN appliance, the attacker adopted a systematic approach – moving between systems using compromised credentials, further breaching them, and expanding access via Remote Desktop Protocol (RDP). While exploring the network, Volexity noted reconnaissance activities by the attacker.

During network traffic analysis, researchers also identified the deployment of webshell variants on both internet-accessible and internally accessible servers, which they dubbed as GLASSTOKEN.

*The attacker also tampered with another built-in component of Ivanti Connect Secure, visits.py, incorporating a webshell component referred to as GIFTEDVISITOR.

Understanding the GLASSTOKEN Webshell

The attacker utilized two variations of the webshell: The first version exhibits two distinct code paths, its execution dependent on the parameters present in the request; evidence suggests that Version 1 was primarily employed for executing arbitrary PowerShell commands. Nearly identical to the first version, Version 2 retains only the second code path, facilitating code execution.

Beyond executing commands on the VPN appliance, these webshells served as the primary means for the attacker to maintain persistence.

For comprehensive details on observed attacker activity and insights into these webshells, refer to the detailed research.

Exposure of Ivanti Connect Secure Appliances

A ZoomEye search shows that approximately 13,272 Ivanti Connect Secure appliances and 83 Ivanti Policy Secure appliances are exposed on the internet. This substantial number emphasizes the urgency for organizations to fortify their security posture.

ZoomEye search results for Ivanti Connect Secure

ZoomEye search results for Ivanti Connect Secure

Ivanti Connect Secure Zero-Days Experience a Surge in Exploitation: Global Impact on Organizations

Researchers at Volexity, on January 15, reported a global expansion in the exploitation of the Ivanti Connect Secure VPN through CVE-2023-46805 and CVE-2024-21887.

Initial exploitation activity was attributed to a threat actor tracked as UTA0178, while the latest reports indicate the involvement of additional threat actors. However, researchers also attribute the widespread exploitation – with medium confidence – to UTA0178, citing the use of an identical webshell from previous exploits and the rapid deployment following the publication of details.

Additionally, Volexity observed a suspected exploitation attempt from another threat actor, UTA0188, logged in a patched appliance.

Researchers conducted scans on around 50,000 Ivanti Connect Secure IP addresses to detect compromised appliances and found over 1,700 appliances with the GIFTEDVISITOR webshell.

Geographic distribution of infected appliances (Volexity)

Geographic distribution of infected appliances (Volexity)

The widespread exploitation has impacted a diverse range of organizations, from small businesses to Fortune 500 companies, as reported. Targeted sectors include government, military, telecommunications, technology, finance, aviation, and more.

You can gain a comprehensive understanding of cyber threats specific to your industry by reviewing Industry Threat Landscape Reports on SOCRadar LABS.

Security Recommendations for Compromised Ivanti Connect Secure VPN Appliance

The researchers recommend several security measures to effectively mitigate the impact of an Ivanti Connect Secure VPN appliance compromise:

  • Immediate response is critical upon detecting compromise. Avoid a simplistic wipe-and-rebuild approach.
  • Gather essential evidence by collecting logs, system snapshots, and forensics artifacts (memory and disk) from the compromised Ivanti Connect Secure VPN appliance.
  • Urgently analyze internal systems to track potential lateral movement by the attacker.
  • Assume compromise of any credentials, secrets, or sensitive data stored on the compromised appliance, and take appropriate action to change them.

Ivanti Issued a Warning, Highlighting Critical Race Condition

On January 20, 2024, Ivanti updated the advisory for the CVE-2023-46805 and CVE-2024-21887 vulnerabilities to issue a critical warning about a race condition discovered during the transfer of device configurations. This race condition poses a significant threat to XML remediation, leaving customers vulnerable.

According to the advisory update, pushing new device configurations with XML in place disrupts essential web services and renders the mitigation ineffective. The impact extends to customers who use Pulse One or nSA for configuration pushes, whether full or partial. Ivanti strongly advises customers to stop pushing configurations to appliances with XML in place until the appliance has been patched.

The company also stated that threat actors were observed attempting to manipulate Ivanti’s Internal Integrity Checker (ICT). As a precaution, all customers are advised to use the external ICT, which now includes enhanced functionality that will be integrated into the internal ICT in the future.

Furthermore, as Ivanti reminds customers to use the most recent versions of both external and internal ICT, it says the ICT provides a snapshot of the appliance’s current state and may not detect threat actor activity if the appliance is restored to a clean state; thus, customers are encouraged to run the ICT concurrently with continuous monitoring.

Ivanti Made Patches Available for Connect Secure Zero-Day Vulnerabilities While New Threats Arise

Following the concerning delays, Ivanti released patches for the zero-day vulnerabilities in the Connect Secure and Policy Secure Gateways as of January 31, 2024.

These patches are available with Ivanti Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, and ZTA version 22.6R1.3.

As a precautionary measure, Ivanti recommends that customers factory reset their appliances before applying the patch to prevent threat actors from gaining upgrade persistence in their environment. For detailed instructions, refer to the Ivanti advisory.

The Zero-Day Vulnerabilities Were Used to Deliver KrustyLoader

On the other hand, Volexity recently reported the 12 nearly identical Rust payloads used in attacks, which subsequently executed a variant of the Sliver red-teaming tool. The variant was later dubbed KrustyLoader by researcher Théo Letailleur.

According to Letailleur, KrustyLoader is well-obfuscated and executes specific checks to run only if conditions are met. The use of Rust in its development adds complexity to understanding its behavior. The researcher provided hashes and Indicators of Compromise (IoCs) related to KrustyLoader, along with a YARA rule and extraction script on GitHub. The YARA rule and IoCs provided by the researcher have also been included at the end of this blog.

CISA Advises New Mitigation Method in Response to Threat Actors’ Activity

CISA issued an alert just before the patch release, providing defenders with new mitigations. CISA emphasized that certain threat actors have developed workarounds to existing mitigations and detection methods, exploiting the vulnerabilities.

Organizations running Ivanti Connect Secure (9.x and 22.x) and Policy Secure gateways are advised by CISA to conduct continuous threat hunting on systems connected to the Ivanti device. Additionally, monitoring authentication, account usage, and identity management services that could be exposed is crucial, along with isolating systems from enterprise resources as much as possible.

Now that patches are available, after applying them, CISA recommends ongoing network monitoring to detect any compromises that may have occurred prior to patch implementation.

How Can SOCRadar Help?

Beyond Attack Surface Management (ASM), SOCRadar XTI offers comprehensive Vulnerability Intelligence to provide the latest updates about known vulnerabilities, including available exploits, repositories, hacker trends, and exploitability risks.

SOCRadar Vulnerability Intelligence

SOCRadar Vulnerability Intelligence

Experience the power of SOCRadar by signing up for the free edition, unlocking its XTI capabilities to elevate your vulnerability management strategy.

Indicators of Compromise (IOCs)

Here are the Indicators of Compromise (IOCs) found related to the exploitation activity:

IP Addresses:

  • 206.189.208.156
  • 75.145.243.85
  • 47.207.9.89
  • 98.160.48.170
  • 173.220.106.166
  • 73.128.178.221
  • 50.243.177.161
  • 50.213.208.89
  • 64.24.179.210
  • 75.145.224.109
  • 50.215.39.49
  • 71.127.149.194
  • 173.53.43.7

Hostnames:

  • symantke[.]com (Attacker domain used to collect credentials from compromised devices)
  • gpoaccess[.]com (Suspected attacker domain)
  • webb-institute[.]com (Suspected attacker domain)

YARA Rule for KrustyLoader:

rule Linux_Downloader_KrustyLoader
{
    meta:
        author = "Theo Letailleur, Synacktiv"
        source = "Synacktiv"
        status = "RELEASED"
        sharing = "TLP:WHITE"
        category = "MALWARE"
        malware = "KrustyLoader"
        description = "Yara rule that detects Linux KrustyLoader"

    strings:
        $tokio_worker = "TOKIO_WORKER_THREADS"
        $tmpdir = "/tmp/"

        // Load "/proc/self/exe" string
        $proc_self_exe = {
            48 B? 73 65 6C 66 2F 65 78 65 // mov     r64, 6578652F666C6573h
            48 8D B4 24 ?? ?? 00 00       // lea     rsi, [rsp+????h]
            48 89 46 0?                   // mov     [rsi+6], r64
            48 B? 2F 70 72 6F 63 2F 73 65 // mov     r64, 65732F636F72702Fh
            48 89 0?                      // mov     [rsi], r64
        }

        $pipe_suffix = "|||||||||||||||||||||||||||"

        // AES key expansion
        $aeskeygenassist = {
            660F3ADF0601 // aeskeygenassist xmm0, xmmword ptr [rsi], 1
            660F7F07     // movdqa  xmmword ptr [rdi], xmm0
            C3           // retn
        }

        // AES InvMixColumns
        $aesinvmixcol = {
            660F38DB06  // aesimc  xmm0, xmmword ptr [rsi]
            660F7F07    // movdqa  xmmword ptr [rdi], xmm0
            C3          // retn
        }

    condition:
        uint32(0) == 0x464C457F and
        (
            all of them
        )
}
SHA256Stage URLSliver C2
47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04hxxp://blog-app-system2.s3.amazonaws[.]com/CGK63gVfWs52hhxxps://update.sysupdates[.]org
816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17hxxp://beansdeals-static.s3.amazonaws[.]com/1vzo0KenG4IKNhxxps://api.farstream[.]org
c26da19e17423ce4cb4c8c47ebc61d009e77fc1ac4e87ce548cf25b8e4f4dc28hxxp://breaknlinks.s3.amazonaws[.]com/Bx8DH5OhdG3hYhxxps://ntp.sysupdates[.]org
c7ddd58dcb7d9e752157302d516de5492a70be30099c2f806cb15db49d466026hxxp://be-at-home.s3.ap-northeast-2.amazonaws[.]com/2ekjMjslSG9uIhxxps://music.farstream[.]org
d14122fa7883b89747f273c44b1f71b81669a088764e97256f97b4b20d945ed0hxxp://acapros-app.s3-us-west-2.amazonaws[.]com/Z0RM2DsTiBrmbForbidden 403 on Stage Host
6f684f3a8841d5665d083dcf62e67b19e141d845f6c13ee8ba0b6ccdec591a01hxxp://acapros-app.s3-us-west-2.amazonaws[.]com/Lf6ceJhYiO7w4Forbidden 403 on Stage Host
a4e1b07bb8d6685755feca89899d9ead490efa9a6b6ccc00af6aaea071549960hxxp://bbr-promo.s3.amazonaws[.]com/NWEUW983Ve4g1hxxps://update.sysupdates[.]org
ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815hxxp://bigtimeassets.s3.amazonaws[.]com/sTj9glpy3JMw5hxxps://music.farstream[.]org
76902d101997df43cd6d3ac10470314a82cb73fa91d212b97c8f210d1fa8271fhxxp://ahha-asset.s3.ap-northeast-2.amazonaws[.]com/7J0WhInu49Teghxxps://ntp.sysupdates[.]org
e47b86b8df43c8c1898abef15b8b7feffe533ae4e1a09e7294dd95f752b0fbb2hxxp://bringthenoiseappnew.s3.amazonaws[.]com/mi1FLmycM4of4hxxps://check.sysupdates[.]org
73657c062a7cc50a3d51853ec4df904bcb291fdc9cdd08eecaecb78826eb49b6hxxp://2261992.s3.amazonaws[.]com/kvdoEAH0y495phxxps://video.farstream[.]org
030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0hxxp://bringthenoiseappnew.s3.amazonaws[.]com/iEgJ4J7Uc9YgChxxps://ntp.sysupdates[.]org