Ivanti Connect Secure VPN faced a significant security breach involving two critical vulnerabilities – CVE-2023-46805 and CVE-2024-21887. These vulnerabilities allowed attackers to bypass authentication and execute arbitrary commands remotely. The attackers were able to steal sensitive data, modify files, and set up web shells for persistent network access.
The attacker modifies a native Python package (cav-0.1-py3.6.egg) used by a web server. The attacker adds code to the package, enabling the web server to identify specific server requests containing content starting with the characters “GIF”. When such a request is received, the script within the modified package decodes the base64-encoded request and executes the resulting commands, effectively opening a shell on the server.
In the rapidly evolving world of cybersecurity, the recent breach of Ivanti Connect Secure VPN underscores the critical need for robust and proactive security measures. As attackers continually refine their tactics and exploit vulnerabilities, the demand for advanced cybersecurity solutions becomes ever more pressing. This is where GoSecure, a leader in the cybersecurity industry, comes into play.
GoSecure: Leading with Expertise and Action
GoSecure is a frontrunner in cybersecurity solutions, offering a comprehensive suite of tools and services designed to protect against a wide range of digital threats. With a focus on innovation, expertise, and a deep understanding of the cyber threat landscape, GoSecure provides effective and adaptive solutions to safeguard businesses and organizations.
This is exemplified by our recent engagement with clients facing critical security incidents. One such instance involved a client who approached us for a Digital Forensics & Incident Response Service (DF & IR) unrelated to our GoSecure Titan® Managed Extended Detection and Response (MXDR) service. Our team provided expert guidance and effective solutions to address their specific security needs promptly.
Moreover, another client, actively enrolled in our GoSecure Titan® MXDR service, experienced a direct impact from the Ivanti breach on their unmanaged devices. Our Security Operations Center (SOC) team was quick to respond, engaging in a late-night meeting to determine the next steps. As their trusted advisor, we conducted a thorough analysis and guided them through the DF & IR process, focusing on quickly resolving issues with unmanaged devices that were breached.
GoSecure Services for Enhanced Protection
GoSecure Titan® Managed Extended Detection and Response (MXDR):
GoSecure Titan® MXDR leverage advanced threat detection mechanisms, such as behavioral analysis, machine learning, and anomaly detection, to identify suspicious activities all of which also applies to zero-day threats. In case the unthinkable happen, privilege escalation and lateral movement can be quickly detected and mitigated.
The real-time monitoring and event logging enables quick investigation of what has happened and enables IT personal with the visibility they need to assess risks quickly and reliably.
GoSecure Titan® Vulnerability Management as A Service (VMaaS):
Zero-day vulnerabilities rarely come alone. Threat actors will need to perform privilege escalation or lateral movement to reach their objectives. These additional steps are often performed by leveraging existing low and medium vulnerabilities.
GoSecure Titan® VMaaS is designed to close that gap. It will Identify assets and exposure through scanning, prioritize threats using contextual analysis and respond by updating systems and applications to strengthen resistance to attacks, shorten remediation times and maintain compliance.
Many organizations lack the resources, time, and expertise to effectively manage vulnerabilities and often spend their time patching the wrong vulnerabilities.
GoSecure Titan® VMaaS combines industry leading technology with expert analysis to provide unsurpassed speed, accuracy, consistency, and reliability, giving the organization customized vulnerability management program making them more secure, even against zero-days, while saving time and money.
Recommendations for Organizations:
- Prompt Patch Management: Ensure all systems, including VPN solutions, are regularly updated with the latest security patches.
- Regular Security Audits: Conduct thorough security audits to identify potential vulnerabilities within the network.
- Enhanced Monitoring: Utilize network monitoring and anomaly detection tools to identify unusual network patterns indicative of an attack.
- Incident Response Plan: Have a robust incident response plan in place to quickly contain and mitigate any breaches.
The Ivanti Connect Secure VPN breach serves as a reminder of the constantly evolving threat landscape and the need for organizations to stay vigilant and proactive in their cybersecurity efforts. Implementing solutions like GoSecure Titan® MXDR and GoSecure Titan® VMaaS can provide a more comprehensive defense against such sophisticated cyber threats.
Visit www.gosecure.net to learn more.
Authors: Ben Mabey & Ryan Ackroyed
UPDATE: Shortly after the publication of this security advisory, new developments have emerged regarding Ivanti’s security posture. A newly identified server-side request forgery (SSRF) vulnerability, tracked as CVE-2024-21893, affecting Ivanti Connect Secure and Ivanti Policy Secure servers, is currently being exploited on a mass scale. This vulnerability represents a critical threat, as highlighted by recent attacks and the subsequent urgent advisory from Ivanti for immediate patching.
In response to these escalating threats, the Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive for federal agencies to disconnect affected Ivanti VPN technology within 48 hours, a measure reflecting the gravity of the situation.
Ivanti has also released mitigation instructions for those unable to apply the latest patches immediately, further underscoring the necessity for rapid action in safeguarding against these vulnerabilities.
We urge everyone to review these developments closely. Our team is actively reaching out to provide personalized advisories and support in navigating these updates. Ensuring the security of your infrastructure against such sophisticated threats is our utmost priority, and we are committed to delivering the most current and comprehensive guidance in these challenging times. Your vigilance and prompt action in response to these advisories are crucial in maintaining a robust defense against these and future cybersecurity challenges.
