Passthrough: Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways

CISA released a joint Cybersecurity Advisory (CSA) today in coordination with the FBI, MS-ISAC, and multiple international partners to emphasize that cyber threat actors continue exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. The advisory was developed with the cooperation of Volexity, Ivanti, Mandiant, and other industry partners.

Of particular concern, the authoring organizations and industry partners have determined that cyber threat actors are able to deceive Ivanti’s internal and external Integrity Checker Tool (ICT), resulting in a failure to detect compromise. 

The authoring organizations encourage network defenders to:

1. Assume that user and service account credentials stored within the affected Ivanti VPN appliances are likely compromised.
2. Hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory.
3. Run Ivanti’s most recent external ICT, and (4) apply available patching guidance provided by Ivanti as version updates become available.

Access the full CSA at CISA. 

See previous WaterISAC coverage pertaining to the Ivanti vulnerabilities:

• Vulnerability Notification – Active Zero-Day Exploitation of Ivanti Connect Secure and Policy Secure Gateways (Update: January 16, 2024)
• Ivanti Connect Secure Activity
• Update January 30, 2024: (TLP:CLEAR) WaterISAC Advisory: CISA Issues Emergency Directive on Ivanti Vulnerabilities
• Vulnerability Awareness Updates – Ivanti Patches Available, but Two New Vulnerabilities Disclosed

Additional Technical Resources:

• Ivanti Connect (in)Secure – Revisited | Censys
• Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts | Mandiant