Malware hunters at Volexity on Wednesday warned that suspected Chinese nation-state hackers are actively exploiting a pair of unauthenticated remote zero-day vulnerabilities in Ivanti Connect Secure VPN devices.
The vulnerabilities, tracked as CVE-2023-46805 and CVE-2024-21887, affect fully patched Internet-facing Ivanti Connect Secure VPN appliances (formerly known as Pulse Secure) and were caught during in-the-wild zero-day exploitation.
Ivanti, a company that has struggled with major security problems, released pre-patch mitigations for the new vulnerabilities but said comprehensive fixes will be released on a staggered schedule beginning on January 22.
“We are providing mitigation now while the patch is in development to prioritize the best interest of our customers. It is critical that you immediately take action to ensure you are fully protected,” Ivanti said.
In a research report, Volexit said it caught the zero-days after noticing suspicious lateral movement on the network of one of its customers, and found that an attacker was placing webshells on multiple internal and external-facing web servers.
The company traced the infections back to the victim company’s Ivanti Connect Secure VPN appliance that showed that its logs had been wiped and logging had been disabled.
“Further review of historic network traffic from the device also revealed suspect outbound and inbound communication from its management IP address. Volexity found that there was suspect activity originating from the device as early as December 3, 2023,” the company said.
Volexity said it worked closely with Ivanti in order to obtain disk and memory images from the impacted devices and was able to uncover the exploit chain used by the attacker.
“[We] discovered two different zero-day exploits which were being chained together to achieve unauthenticated remote code execution (RCE). Through forensic analysis of the memory sample, Volexity was able to recreate two proof-of-concept exploits that allowed full unauthenticated command execution on the ICS VPN appliance,” the company said.
“When combined, these two vulnerabilities make it trivial for attackers to run commands on the system. In this particular incident, the attacker leveraged these exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance,” Volexity added.
The researchers said they caught the attackers modifying legitimate ICS components and making changes to the system to evade Ivanti’s Integrity Checker Tool; and backdooring a legitimate CGI file (compcheck.cgi) on the ICS VPN appliance to allow command execution.
Volexity said the suspected Chinese government-backed hacking team also modified a JavaScript file used by the Web SSL VPN component of the device in order to log keystrokes and exfiltrate credentials for users logging into the VPN.
“The information and credentials collected by the attacker allowed them to pivot to a handful of systems internally, and ultimately gain unfettered access to systems on the network,” Volexity warned.
Related: Volexity Blames ‘DriftingCloud’ APT For Sophos Firewall Zero-Day
Related: Exploitation of Ivanti Sentry Zero-Day Confirmed
Related: Ivanti Patches Critical Vulnerability in Endpoint Manager
Related: Ivanti Patches Dozen Critical Vulnerabilities in Avalanche MDM Product
