Attention: Action may be required. If your utility uses affected versions (9.x and 22.x) of Ivanti Connect Secure and Policy Secure Gateways, please have systems administrators address promptly.

CISA is aware that threat actors are continuing to leverage vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways to capture credentials and/or drop webshells that enable further compromise of enterprise networks. Additionally, there have been reports that Ivanti may be distributing a patch later than expected. As such, CISA has published New Mitigations to Defend Against Exploitation of Ivanti Connect Secure and Policy Secure Gateways. Impacted members are encouraged to review this latest guidance and address accordingly.

If an organization has been running Ivanti Connect Secure (9.x and 22.x) and Policy Secure gateways over the last several weeks and/or continues to run these products, CISA recommends continuous threat hunting on any systems connected to—or recently connected to—the Ivanti device. Additionally, organizations should monitor authentication, account usage, and identity management services that could be exposed and isolate the system(s) from any enterprise resources as much as possible. Visit CISA for more mitigation details.

January 22, 2024
This afternoon, CISA issued Emergency Directive (ED) 24-01 to address the recently disclosed Ivanti zero-day vulnerabilities. The ED is intended for federal agencies. However, due to this heightened concern, WaterISAC highly recommends utilities which use the affected Ivanti Connect Secure products to apply the Ivanti supplied mitigation as soon as possible. As a reminder, Ivanti expects to release patches on a rolling schedule between the weeks of January 22 – February 19, 2024. Before those patches are released see the recommendations below for mitigation actions to implement now.

Background:
WaterISAC reported earlier this week that active exploitation of Ivanti Connect Secure has become widespread. Multiple threat actor groups have been observed exploiting these vulnerabilities, with victims ranging from small businesses to very large organizations and impacted verticals include government, military installations, telecommunications, and more.

Last week, Ivanti released information regarding two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, that allow a malicious threat actor to move laterally across a target network, perform data exfiltration, and establish persistent system access. 

According to CISA, it determined an “Emergency Directive is necessary based on the widespread exploitation of these vulnerabilities by multiple threat actors, prevalence of the affected products in the federal enterprise, high potential for compromise of agency information systems, and potential impact of a successful compromise.”  

Mitigation Recommendations

• System and network administrators are highly encouraged to immediately apply the current workaround in Ivanti's security update.
• Run the Integrity Checker Tool provided by Ivanti.
• Given the potential for the deployment of webshells, administrators are encouraged to look for indicators of compromise identified by Volexity.
• If the Integrity Checker Tool does detect compromise, follow the “Responding to Compromise” section of Veloxity’s recent blog post.
• Volexity noted that adversaries have been observed wiping logs and/or disabling logging on target devices. Administrators should ensure logging is enabled.
• On Monday January 22, members are encouraged to apply the first Ivanti patch to affected versions (9.x and 22.x) of Ivanti Connect Secure and Policy Secure Gateways.

Related Resources

• Volexity Blog Post (1/18/2024): Ivanti Connect Secure VPN Exploitation: New Observations
• Volexity Blog Post: Ivanti Connect Secure VPN Exploitation Goes Global
• SANS Internet Storm Center: More Scans for Ivanti Connect "Secure" VPN. Exploits Public
• SANS Internet Storm Center: Scans for Ivanti Connect "Secure" VPN Vulnerability (CVE-2023-46805, CVE-2024-21887)
• Bleeping Computer: CISA emergency directive: Mitigate Ivanti zero-days immediately

Marked TLP:CLEAR, recipients may share this advisory without restriction. Information is subject to standard copyright rules. For more information on the Traffic Light Protocol, or TLP, visit CISA.