Ivanti Connect Secure, a widely-used VPN solution, has been found to be susceptible to severe security flaws, specifically an authentication bypass and a command injection vulnerability. These vulnerabilities have been actively exploited by malicious entities and have been recognized by the Cybersecurity and Infrastructure Security Agency (CISA) as critical threats, necessitating immediate remediation by federal agencies.
Global Impact and Lack of Official Patch
The exploitation of these vulnerabilities has had a significant global impact, with thousands of internet-accessible Ivanti hosts identified, and over four hundred confirmed to have been compromised with backdoors due to credential theft. Ivanti has not yet released an official patch to address these vulnerabilities, instead providing interim solutions such as recovery steps, workarounds, and mitigation strategies. CISA has issued an emergency directive requiring federal agencies to address the vulnerabilities urgently, highlighting the seriousness due to the vulnerabilities’ widespread exposure and the complexity of mitigation efforts in the absence of a patch.
Insights from Volexity Research
Research conducted by Volexity has shed light on the tactics used by attackers, revealing modifications to a legitimate JavaScript component that resulted in the capture and exfiltration of user login details to a server controlled by the attackers. Further investigations uncovered numerous variants of callback methods employed in the compromised hosts, suggesting the involvement of multiple threat actors in these widespread exploitations.
Volexity and Censys, another research organization, have provided comprehensive reports detailing the nature of these vulnerabilities, their exploitation, and the extent of the compromise. These reports serve as a valuable resource for understanding the current threat landscape and formulating effective defenses.
In light of these findings, all Ivanti users are strongly encouraged to implement the mitigations recommended in Ivanti’s security advisory while awaiting the release of an official patch to protect their networks from potential cyberattacks.
