Mar 01, 2024NewsroomRootkit / Threat Intelligence

The Five Eyes (FVEY) intelligence alliance has issued a new cybersecurity advisory warning of cyber threat actors exploiting known security flaws in Ivanti Connect Secure and Ivanti Policy Secure gateways, noting that the Integrity Checker Tool (ICT) can be deceived to provide a false sense of security.

“Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets,” the agencies said.

To date, Ivanti has disclosed five security vulnerabilities impacting its products since January 10, 2024, out of which four have come under active exploitation by multiple threat actors to deploy malware –

• CVE-2023-46805 (CVSS score: 8.2) – Authentication bypass vulnerability in web component
• CVE-2024-21887 (CVSS score: 9.1) – Command injection vulnerability in web component
• CVE-2024-21888 (CVSS score: 8.8) – Privilege escalation vulnerability in web component
• CVE-2024-21893 (CVSS score: 8.2) – SSRF vulnerability in the SAML component
• CVE-2024-22024 (CVSS score: 8.3) – XXE vulnerability in the SAML component

Mandiant, in an analysis published this week, described how an encrypted version of malware known as BUSHWALK is placed in a directory excluded by ICT in /data/runtime/cockpit/diskAnalysis.

The directory exclusions were also previously highlighted by Eclypsium this month, stating the tool skips a dozen directories from being scanned, thus allowing an attacker to leave behind backdoors in one of these paths and still pass the integrity check.

“The safest course of action for network defenders is to assume a sophisticated threat actor may deploy rootkit level persistence on a device that has been reset and lay dormant for an arbitrary amount of time,” agencies from Australia, Canada, New Zealand, the U.K., and the U.S. said.

They also urged organizations to “consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment.”

Ivanti, in response to the advisory, said it’s not aware of any instances of successful threat actor persistence following the implementation of security updates and factory resets. It’s also releasing a new version of ICT that it said “provides additional visibility into a customer’s appliance and all files that are present on the system.”

Feb 27, 2024NewsroomCloud Security / Threat Intelligence

Cybersecurity and intelligence agencies from the Five Eyes nations have released a joint advisory detailing the evolving tactics of the Russian state-sponsored threat actor known as APT29.

The hacking outfit, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes, is assessed to be affiliated with the Foreign Intelligence Service (SVR) of the Russian Federation.

Previously attributed to the supply chain compromise of SolarWinds software, the cyber espionage group attracted attention in recent months for targeting Microsoft, Hewlett Packard Enterprise (HPE), and other organizations with an aim to further their strategic objectives.

“As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment,” according to the security bulletin.

These include –

• Obtaining access to cloud infrastructure via service and dormant accounts by means of brute-force and password spraying attacks, pivoting away from exploiting software vulnerabilities in on-premise networks

• Using tokens to access victims’ accounts without the need for a password

• Leveraging password spraying and credential reuse techniques to seize control of personal accounts, use prompt bombing to bypass multi-factor authentication (MFA) requirements, and then registering their own device to gain access to the network

• Making it harder to distinguish malicious connections from typical users by utilizing residential proxies to make the malicious traffic appear as if it’s originating from IP addresses within internet service provider (ISP) ranges used for residential broadband customers and conceal their true origins

“For organizations that have moved to cloud infrastructure, the first line of defense against an actor such as SVR should be to protect against SVR’ TTPs for initial access,” the agencies said. “Once the SVR gains initial access, the actor is capable of deploying highly sophisticated post compromise capabilities such as MagicWeb.”