A Double Threat: Zero-Day Vulnerabilities in AnyDesk and Ivanti


Updated February 9, 2024. Originally published February 7, 2024.

The modern work landscape requires flexibility. Especially these days, this often means enabling distributed workforces and, consequently, a need for remote desktop software that IT teams can use to access critical resources and support employee productivity.

While these tools empower productivity, they also create an attractive target for malicious actors looking to exploit vulnerabilities and gain unauthorized access. Recent zero-day attacks against AnyDesk and Ivanti’s Connect Secure and Policy Secure software serve as stark reminders of the evolving threat landscape and the importance of proactive security measures.

Why Remote Desktop Software is Critical – and Vulnerable

Remote desktop software bridges physical distance, allowing users to control computers remotely as if they were sitting right in front of them. This is invaluable for managing remote servers, providing IT support, and enabling employees to work securely from anywhere. However, this convenience comes at a cost. By their very nature, these applications provide access to sensitive data and systems, making them a prized target for cybercriminals. Exploiting vulnerabilities in remote desktop software can grant attackers complete control over a victim’s machine, potentially leading to data exfiltration, malware deployment, and even ransomware attacks.

Recent Remote Desktop Zero-Day Exploits

In January 2024, researchers discovered two critical zero-day vulnerabilities in Ivanti’s Connect Secure and Policy Secure software. These vulnerabilities, tracked as CVE-2023-46805 and CVE-2024-21887, allowed attackers to bypass authentication and execute arbitrary code, essentially granting them full control over the affected systems. Worryingly, evidence suggests these vulnerabilities were actively exploited in the wild before patches were available.

Unfortunately for Ivanti, two additional zero-days were disclosed last week. Security researchers have noted that state-sponsored Chinese hackers have exploited some of the Ivanti Connect Secure vulnerabilities, using it to target federal agencies. In the TechCrunch coverage of these Ivanti vulnerabilities, Steven Adair, founder of Volexity, a cyber threat intel company, noted that “at least 2,200 Ivanti devices have been compromised to date.”

Another concerning discovery came just last week, when a zero-day vulnerability was found by AnyDesk, a popular remote desktop application. This February vulnerability remains a bit hazy; details have been sparse. AnyDesk noted that they revoked all security certificates and all user passwords to its web portal, requiring users to change or update their passwords. Quickly after this notice, a cybersecurity company called Resecurity identified dark web actors who were selling 18,000+ AnyDesk customer credentials.

Impacted Sectors

It’s clear how serious these vulnerabilities are and the potential for widespread disruption across critical infrastructure sectors.

The impact of these vulnerabilities extends beyond specific companies and software users. The industries particularly affected by the Ivanti Connect Secure and Policy Secure flaws include government agencies, healthcare institutions, and educational institutions, many of which rely heavily on these solutions for remote access and device management. This widespread adoption, coupled with the critical nature of the exploited systems, make the vulnerabilities especially concerning.

In fact, the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 24-01 on January 19, 2024, mandating that all Federal Civilian Executive Branch (FCEB) agencies immediately disconnect affected Ivanti appliances and implement specific mitigation measures. Furthermore, CISA urged all organizations using these products to follow the same guidance as a precaution.

With the disclosure of this new Ivanti vulnerability, CISA released an update to its Emergency Directive 24-01, ordering that all agencies disconnect Ivanti VPN appliances within 48 hours:

Agencies running affected products — Ivanti Connect Secure or Ivanti Policy Secure solutions — are required to immediately perform the following tasks:

    1. As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks. (CISA Supplemental Direction V1: ED 24-01)

Additional guidance includes reviewing configuration settings, completing a full factory reset of the VPN appliance, rebuilding the device and upgrading to a supported software version, and more.

With every day that passes, researchers are uncovering the deep impact of the Ivanti vulnerabilities. In the latest TechCrunch coverage, “Piotr Kijewski, chief executive of Shadowserver Foundation, a nonprofit organization that scans and monitors the internet for exploitation, told TechCrunch on Thursday that the organization has observed more than 630 unique IPs attempting to exploit the server-side flaw,” which was a 270% increase from just last week. Furthermore, TechCrunch cites analysis that “shows the bug can be exploited to bypass Ivanti’s original mitigation for the initial exploit chain involving the first two vulnerabilities, effectively rendering those pre-patch mitigations moot.”

Similarly, the AnyDesk vulnerability is affecting a diverse range of users, from individual professionals to large corporations relying on the software for remote collaboration and support. They note on their website that they have over 170,000 customers, including many high-tech enterprises. While the potential impact may be broad, the swift security measures implemented by AnyDesk, forcing re-authentication processes, will hopefully mitigate the short-term impact. The long-term impact remains to be seen, as many people still re-use passwords.

Taking Action for Affected Ivanti and AnyDesk Users

If you use Ivanti Connect Secure or Policy Secure, ensure you have applied the latest patch immediately. For the latest vulnerability (CVE-2024-21893), Ivanti has also released temporary mitigations while a comprehensive fix is developed.

For AnyDesk users, reset your passwords; don’t re-use your previous one or another password used elsewhere; and update to version 7.0.15 or 8.0.8 to mitigate the impact of this latest vulnerability.

Securing Your Remote Desktop Environment

While zero-day vulnerabilities present a significant challenge, proactive measures can mitigate the risk, as these vulnerabilities are typically the remote entry point to a network, other vulnerabilities are then attacked to move laterally within the network:

  • Patch Management: Implementing a robust patch management system is crucial. Apply security patches as soon as they become available, prioritizing those addressing critical vulnerabilities like the ones mentioned above.
  • Multi-Factor Authentication (MFA): Enable MFA for all remote desktop connections. This adds an extra layer of security by requiring a second factor, like a code from your phone, in addition to a password.
  • Least Privilege Access: Grant users only the minimum level of access required to perform their tasks. This minimizes the potential damage if an attacker gains access to a specific account.
  • Network Segmentation: Segment your network to isolate critical systems and limit the impact of a potential breach.
  • Vulnerability Scanning and Remediation: Regularly scan your devices and assets to identify vulnerabilities and take prompt action to remediate any issues.
  • Security Awareness Training: Regularly educate employees on cybersecurity best practices, including recognizing phishing attempts and avoiding suspicious links or attachments.

The recent zero-day exploits serve as a stark reminder that vigilance is essential in today’s hyper-digital work environments. By prioritizing proactive security measures and being prepared to respond to identified vulnerabilities quickly, IT leaders can mitigate the risk posed by these risks and protect their organizations from the damaging consequences of remote desktop breaches.

Security is an ongoing process, not a one-time event, so it’s likely we’ll see more situations like this as the year goes on. Stay informed about evolving threats and vulnerabilities, prioritize and automate patch management, and implement robust, proactive security measures to protect your critical assets.

If you’re looking for automated solutions to patching and security vulnerability remediation, check out the Syxsense platform today.