Bypassing Barriers: Ivanti Connect Secure VPN Under Fire Again!

Talk about a digital dumpster fire! Ivanti Connect Secure, a popular VPN, is under attack, and it’s not a minor hit. With hackers bypassing two-factor authentication and exploiting Ivanti VPN vulnerabilities, it’s like the wild west of the world wide web. Makes you yearn for the ‘you’ve got mail’ days, doesn’t it?

Hot Take:

Here we go again, folks! Yet another widely used VPN appliance, Ivanti Connect Secure, is under attack. These hackers are not only bypassing two-factor authentication but also executing malicious code inside networks. Kinda makes you miss the good old days of dial-up internet, doesn’t it? At least then, the worst thing that could happen was someone picking up the phone and disconnecting you from your AOL chat room.

Key Points:

  • Two critical zero-day vulnerabilities in Ivanti Connect Secure are being actively exploited by unknown threat actors.
  • The researchers from Volexity have found that these vulnerabilities make it easy for attackers to run commands on the system.
  • The hacks are attributed to a threat actor tracked under the alias UTA0178, suspected to be a Chinese nation-state-level threat actor.
  • VPNs, like Ivanti Connect Secure, are major targets due to their edge position in a protected network and an always-on status.
  • There are roughly 15,000 affected Ivanti appliances around the world, according to researcher Kevin Beaumont.

Need to know more?

A Cascade of Vulnerabilities

What we have here is a classic case of "when it rains, it pours." The two vulnerabilities, tracked as CVE-2023-846805 and CVE-2024-21887, are found in Ivanti Connect Secure, a VPN appliance. This isn't the first time Ivanti has been in the spotlight for the wrong reasons. Previously known as Pulse Secure, it has harbored zero-days in recent years that were exploited to devastating effect. You'd think they would’ve learned their lesson...

Exploiters, Start Your Engines!

According to the Volexity team, these vulnerabilities are like a red carpet for attackers, enabling them to steal configuration data, modify existing files, download remote files, and even reverse tunnel from the ICS VPN appliance. In short, it's a hacker's paradise. The attacker can even modify a JavaScript file used by the Web SSL VPN component of the device to keylog and exfiltrate credentials for users logging into it. Yikes!

The Race is On

As the news about these zero-days spreads, there is a potential race to compromise devices before mitigations are applied. The attacker could also decide to share the exploit or other attackers might figure out the exploit. If you know the details, the exploit is quite easy to pull off, requiring no authentication and can be done over the Internet. Sounds like a ticking cyber time bomb!

Round the World in 15,000 Appliances

Kevin Beaumont, a researcher, conducted a scan and discovered that there were about 15,000 affected Ivanti appliances worldwide exposed to the Internet. Beaumont suggests that nation-state-backed hackers appear to be behind the attacks on the Ivanti-sold device. So, it's not just your average Joe trying to get a free Netflix login. This is serious business.
Tags: 2-factor authentication bypass, Ivanti, Malicious Code Execution, threat actors, Volexity, VPN appliance, zero-day vulnerabilities