In January 2024, a critical zero-day vulnerability chain emerged in Ivanti Connect Secure and Ivanti Policy Secure Gateways (CVE-2023-46805 and CVE-2024-21887). These vulnerabilities allowed attackers to bypass authentication and ultimately execute arbitrary commands on the system – a recipe for disaster. While both are noted as zero-days, the combination of the two are what made them so critical.
Despite the news stories and warnings about these vulnerabilities, including multiple notices from the Cybersecurity and Infrastructure Security Agency (CISA), it was clear that there had been significant impact, including with multiple U.S. federal agencies including CISA itself.
Organizations with robust security postures weren’t immune, as evidenced by a recent news story from MITRE, a non-profit research and development organization that primarily supports the U.S. federal government, which is known throughout the security world for its frameworks including STIX/TAXII and ATT&CK. MITRE provided initial details for how malicious hackers were able to breach its defenses using the above-mentioned Ivanti vulnerabilities to gain initial access to its enterprise network.
In this blog post, we’ll recap what the Ivanti VPN vulnerabilities are, their impact, and steps you should take to fortify your defenses today.
A Recap of the Ivanti Connect Secure Vulnerabilities
In early January 2024, Volexity published research on two Ivanti vulnerabilities, noting that these vulnerabilities were being actively exploited. The vulnerabilities worked in tandem:
- CVE-2023-46805 (Authentication Bypass): This vulnerability exploited weaknesses in access control, allowing attackers to bypass authentication altogether.
- CVE-2024-21887 (Command Injection): Once unauthenticated access was achieved, attackers could leverage this vulnerability to inject and execute malicious commands on the system.
The critical aspect here is that chaining these vulnerabilities grants remote code execution (RCE) without needing valid credentials. This effectively throws open the door for attackers to infiltrate your network and deploy malware, steal data, or disrupt critical operations.
How It Worked: MITRE’s Ivanti Breach
In MITRE’s detailing of its security breach, they stated that “a threat actor performed reconnaissance of our networks, exploited one of our Virtual Private Networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities, and skirted past our multi-factor authentication using session hijacking.” Once in, they moved laterally and used a compromised administrator account to gain access to organization’s the VMware infrastructure.
MITRE noted that they had upgraded and replaced the Ivanti applications, per best practices and government requirements. However, by the time they had done this, the attackers had already moved into the VMware infrastructure and were undetected until April, 4 months after the initial disclosure of the Ivanti vulnerabilities.
MITRE shared significant details of its incident, noting that doing so can “help inform other facing similar threats.” Those details include MITRE ATT&CK tactics, techniques, and procedures that enabled the attackers to first gain access, then gain persistence, evade detection, and exfiltrate data.
Securing Your Network: Patching, Detection, Remediation and Segmentation
While it can be disheartening to know that even the most well-prepared and highly resourced organizations can be infiltrated by cyber-attackers, there are many things you can do to protect your organization.
MITRE emphasized several critical security hardening practices that all enterprises should be undertaking, and we include some below that we believe are foundational.
- Consistent Patch Management: Ensure you prioritize patching, especially if your organization is using Ivanti Connect Secure or Policy Secure Gateways (use the latest updates from Ivanti, which have been available since February 14th, 2024).
- Multi-factor Authentication: Implement strong multi-factor authentication solutions and policies that provide robust protection against session hijacking.
- Regular Vulnerability Management and Remediation: Employ regular, thorough vulnerability scans of your environment for vulnerabilities and address those findings quickly. MITRE’s incident demonstrates just how quickly attackers can jump on vulnerabilities to gain access to an enterprise, and it’s no longer enough to simply find and accept the risk of the vulnerabilities across your environment.
- Segmentation: Network segmentation can significantly limit the damage caused by a breach. By segmenting your network, attackers who gain access to a single segment have a more challenging time moving laterally and compromising your entire infrastructure.
- Layered Security: A layered security approach is crucial. Patching is vital, but don’t rely solely on it. Utilize intrusion detection and prevention systems (IDS/IPS) to monitor for suspicious activity and consider endpoint detection and response (EDR) solutions for additional protection.
This incident serves as a stark reminder that even well-resourced organizations with advanced security measures are susceptible to cyber-attacks. And it underscores the importance of staying vigilant and implementing patches promptly.
Conclusion
As more and more malicious hackers look to take advantage of security vulnerabilities in VPN applications, MITRE’s security incident should serve as a wake-up call to organizations that need to protect their operations and business and customer data. By implementing the recommended security controls to harden your network, working quickly to identify if you have critical vulnerabilities in your environment when they are publicly disclosed, and continuously monitoring your network for potential anomalies, you can significantly reduce the risk of a similar attack.
