Apr 05, 2024NewsroomAdvanced Persistent Threat

Multiple China-nexus threat actors have been linked to the zero-day exploitation of three security flaws impacting Ivanti appliances (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893).

The clusters are being tracked by Mandiant under the monikers UNC5221, UNC5266, UNC5291, UNC5325, UNC5330, and UNC5337. Another group linked to the exploitation spree is UNC3886.

The Google Cloud subsidiary said it has also observed financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, likely in an attempt to conduct cryptocurrency mining operations.

“UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments,” Mandiant researchers said.

The threat actor has been linked to post-exploitation activity leading to the deployment of the Sliver command-and-control (C2) framework, a variant of the WARPWIRE credential stealer, and a new Go-based backdoor dubbed TERRIBLETEA that comes with command execution, keylogging, port scanning, file system interaction, and screen capturing functions.

UNC5330, which has been observed combining CVE-2024-21893 and CVE-2024-21887 to breach Ivanti Connect Secure VPN appliances at least since February 2024, has leveraged custom malware such as TONERJAM and PHANTOMNET for facilitating post-compromise actions –

• PHANTOMNET – A modular backdoor that communicates using a custom communication protocol over TCP and employs a plugin-based system to download and execute additional payloads
• TONERJAM – A launcher that’s designed to decrypt and execute PHANTOMNET

Besides using Windows Management Instrumentation (WMI) to perform reconnaissance, move laterally, manipulate registry entries, and establish persistence, UNC5330 is known to compromise LDAP bind accounts configured on the infected devices in order to domain admin access.

Another notable China-linked espionage actor is UNC5337, which is said to have infiltrated Ivanti devices as early as January 2024 using CVE-2023-46805 and CVE-2024 to deliver a custom malware toolset known as SPAWN that comprises four distinct components that work in tandem to function as a stealthy and persistent backdoor –

• SPAWNSNAIL – A passive backdoor that listens on localhost and is equipped to launch an interactive bash shell as well as launch SPAWNSLOTH
• SPAWNMOLE – A tunneler utility that’s capable of directing malicious traffic to a specific host while passing benign traffic unmodified to the Connect Secure web server
• SPAWNANT – An installer that’s responsible for ensuring the persistence of SPAWNMOLE and SPAWNSNAIL by taking advantage of a coreboot installer function
• SPAWNSLOTH – A log tampering program that disables logging and log forwarding to an external syslog server when the SPAWNSNAIL implant is running

Mandiant has assessed with medium confidence that UNC5337 and UNC5221 are one and the same threat group, noting the SPAWN tool is “designed to enable long-term access and avoid detection.”

UNC5221, which was previously attributed to web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE, has also unleashed a Perl-based web shell referred to as ROOTROT that’s embedded into a legitimate Connect Secure .ttc file located at “/data/runtime/tmp/tt/setcookie.thtml.ttc” by exploiting CVE-2023-46805 and CVE-2024-21887.

A successful deployment of the web shell is followed by network reconnaissance and lateral movement, in some cases, resulting in the compromise of a vCenter server in the victim network by means of a Golang backdoor called BRICKSTORM.

“BRICKSTORM is a Go backdoor targeting VMware vCenter servers,” Mandiant researchers explained. “It supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying.”

The last among the five China-based groups tied to the abuse of Ivanti security flaws is UNC5291, which Mandiant said likely has associations with another hacking group UNC3236 (aka Volt Typhoon), primarily owing to its targeting of academic, energy, defense, and health sectors.

“Activity for this cluster started in December 2023 focusing on Citrix Netscaler ADC and then shifted to focus on Ivanti Connect Secure devices after details were made public in mid-Jan. 2024,” the company said.

The findings once again underscore the threat faced by edge appliances, with the espionage actors utilizing a combination of zero-day flaws, open-source tooling, and custom backdoors to tailor their tradecraft depending on their targets to evade detection for extended periods of time.

Apr 04, 2024NewsroomNetwork Security / Vulnerability

Ivanti has released security updates to address four security flaws impacting Connect Secure and Policy Secure Gateways that could result in code execution and denial-of-service (DoS).

The list of flaws is as follows –

• CVE-2024-21894 (CVSS score: 8.2) – A heap overflow vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack. In certain conditions, this may lead to execution of arbitrary code.

• CVE-2024-22052 (CVSS score: 7.5) – A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack.

• CVE-2024-22053 (CVSS score: 8.2) – A heap overflow vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack or in certain conditions read contents from memory.

• CVE-2024-22023 (CVSS score: 5.3) – An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in order to temporarily cause resource exhaustion thereby resulting in a limited-time DoS.

The company, which has been grappling with a steady stream of security flaws in its products since the start of the year, said it’s not aware of “any customers being exploited by these vulnerabilities at the time of disclosure.”

Late last month, Ivanti shipped patches for critical shortcoming in its Standalone Sentry product (CVE-2023-41724, CVSS score: 9.6) that could permit an unauthenticated threat actor to execute arbitrary commands on the underlying operating system.

It also resolved another critical flaw impacting on-premises versions of Neurons for ITSM (CVE-2023-46808, CVSS score: 9.9) that an authenticated remote attacker could abuse in order to perform arbitrary file writes and obtain code execution.

In an open letter published on April 3, 2023, Ivanti’s CEO Jeff Abbott said the company is taking a “close look” at its own posture and processes to meet the requirements of the current threat landscape.

Abbott also said “events in recent months have been humbling” and that it’s executing a plan that essentially changes its security operating model by adopting secure-by-design principles, sharing information with customers with complete transparency, and rearchitecting its engineering, security, and vulnerability management practices.

“We are intensifying our internal scanning, manual exploitation and testing capabilities, engaging trusted third parties to augment our internal research and facilitating responsible disclosure of vulnerabilities with increased incentives around an enhanced bug bounty program,” Abbott said.

Mar 26, 2024NewsroomCyber Attack / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday placed three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerabilities added are as follows –

• CVE-2023-48788 (CVSS score: 9.3) – Fortinet FortiClient EMS SQL Injection Vulnerability
• CVE-2021-44529 (CVSS score: 9.8) – Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
• CVE-2019-7256 (CVSS score: 10.0) – Nice Linear eMerge E3-Series OS Command Injection Vulnerability

The shortcoming impacting Fortinet FortiClient EMS came to light earlier this month, with the company describing it as a flaw that could allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests.

Fortinet has since revised its advisory to confirm that it has been exploited in the wild, although no other details regarding the nature of the attacks are currently available.

CVE-2021-44529, on the other hand, concerns a code injection vulnerability in Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) that allows an unauthenticated user to execute malicious code with limited permissions.

Recent research published by security researcher Ron Bowes indicates that the flaw may have been introduced as an intentional backdoor in a now-discontinued open-source project called csrf-magic that existed at least since 2014.

CVE-2019-7256, which permits an attacker to conduct remote code execution on Nice Linear eMerge E3-Series access controllers, has been exploited by threat actors as early as February 2020.

The flaw, alongside 11 other bugs, were addressed by Nice (formerly Nortek) earlier this month. That said, these vulnerabilities were originally disclosed by security researcher Gjoko Krstic in May 2019.

In light of the active exploitation of the three flaws, federal agencies are required to apply the vendor-provided mitigations by April 15, 2024.

The development comes as CISA and the Federal Bureau of Investigation (FBI) released a joint alert, urging software manufacturers to take steps to mitigate SQL injection flaws.

The advisory specifically highlighted the exploitation of CVE-2023-34362, a critical SQL injection vulnerability in Progress Software’s MOVEit Transfer, by the Cl0p ransomware gang (aka Lace Tempest) to breach thousands of organizations.

“Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk,” the agencies said.

Mar 21, 2024NewsroomVulnerability / Web Security

Ivanti has disclosed details of a critical remote code execution flaw impacting Standalone Sentry, urging customers to apply the fixes immediately to stay protected against potential cyber threats.

Tracked as CVE-2023-41724, the vulnerability carries a CVSS score of 9.6.

“An unauthenticated threat actor can execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network,” the company said.

The flaw impacts all supported versions 9.17.0, 9.18.0, and 9.19.0, as well as older versions. The company said it has made available a patch (versions 9.17.1, 9.18.1, and 9.19.1) that can be downloaded via the standard download portal.

It credited Vincent Hutsebaut, Pierre Vivegnis, Jerome Nokin, Roberto Suggi Liverani and Antonin B. of NATO Cyber Security Centre for “their collaboration on this issue.”

Ivanti emphasized that it’s not aware of any customers affected by CVE-2023-41724, and added that “threat actors without a valid TLS client certificate enrolled through EPMM cannot directly exploit this issue on the internet.”

Recently disclosed security flaws in Ivanti software have been subject to exploitation by at least three different suspected China-linked cyber espionage clusters tracked as UNC5221, UNC5325, and UNC3886, according to Mandiant.

The development comes as SonarSource revealed a mutation cross-site scripting (mXSS) flaw impacting an open-source email client called Mailspring aka Nylas Mail (CVE-2023-47479) that could be exploited to bypass sandbox and Content Security Policy (CSP) protections and achieve code execution when a user replies to or forwards a malicious email.

“mXSS takes advantage of that by providing a payload that seems innocent initially when parsing (during the sanitization process) but mutates it to a malicious one when re-parsing it (in the final stage of displaying the content),” security researcher Yaniv Nizry said.

Mar 01, 2024NewsroomRootkit / Threat Intelligence

The Five Eyes (FVEY) intelligence alliance has issued a new cybersecurity advisory warning of cyber threat actors exploiting known security flaws in Ivanti Connect Secure and Ivanti Policy Secure gateways, noting that the Integrity Checker Tool (ICT) can be deceived to provide a false sense of security.

“Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets,” the agencies said.

To date, Ivanti has disclosed five security vulnerabilities impacting its products since January 10, 2024, out of which four have come under active exploitation by multiple threat actors to deploy malware –

• CVE-2023-46805 (CVSS score: 8.2) – Authentication bypass vulnerability in web component
• CVE-2024-21887 (CVSS score: 9.1) – Command injection vulnerability in web component
• CVE-2024-21888 (CVSS score: 8.8) – Privilege escalation vulnerability in web component
• CVE-2024-21893 (CVSS score: 8.2) – SSRF vulnerability in the SAML component
• CVE-2024-22024 (CVSS score: 8.3) – XXE vulnerability in the SAML component

Mandiant, in an analysis published this week, described how an encrypted version of malware known as BUSHWALK is placed in a directory excluded by ICT in /data/runtime/cockpit/diskAnalysis.

The directory exclusions were also previously highlighted by Eclypsium this month, stating the tool skips a dozen directories from being scanned, thus allowing an attacker to leave behind backdoors in one of these paths and still pass the integrity check.

“The safest course of action for network defenders is to assume a sophisticated threat actor may deploy rootkit level persistence on a device that has been reset and lay dormant for an arbitrary amount of time,” agencies from Australia, Canada, New Zealand, the U.K., and the U.S. said.

They also urged organizations to “consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment.”

Ivanti, in response to the advisory, said it’s not aware of any instances of successful threat actor persistence following the implementation of security updates and factory resets. It’s also releasing a new version of ICT that it said “provides additional visibility into a customer’s appliance and all files that are present on the system.”

At least two different suspected China-linked cyber espionage clusters, tracked as UNC5325 and UNC3886, have been attributed to the exploitation of security flaws in Ivanti Connect Secure VPN appliances.

UNC5325 abused CVE-2024-21893 to deliver a wide range of new malware called LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK, as well as maintain persistent access to compromised appliances, Mandiant said.

The Google-owned threat intelligence firm has assessed with moderate confidence that UNC5325 is associated with UNC3886 owing to source code overlaps in LITTLELAMB.WOOLTEA and PITHOOK with malware used by the latter.

It’s worth pointing out that UNC3886 has a track record of leveraging zero-day flaws in Fortinet and VMware solutions to deploy a variety of implants like VIRTUALPITA, VIRTUALPIE, THINCRUST, and CASTLETAP.

“UNC3886 has primarily targeted the defense industrial base, technology, and telecommunication organizations located in the U.S. and [Asia-Pacific] regions,” Mandiant researchers said.

The active exploitation of CVE-2024-21893 – a server-side request forgery (SSRF) vulnerability in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA – by UNC5325 is said to have occurred as early as January 19, 2024, targeting a limited number of devices.

The attack chain entails combining CVE-2024-21893 with a previously disclosed command injection vulnerability tracked as CVE-2024-21887 to gain unauthorized access to susceptible appliances, ultimately leading to the deployment of a new version of BUSHWALK.

Some instances have also involved the misuse of legitimate Ivanti components, such as SparkGateway plugins, to drop additional payloads. This includes the PITFUEL plugin to load a malicious shared object codenamed LITTLELAMB.WOOLTEA, which comes with capabilities to persist across system upgrade events, patches, and factory resets.

It further acts as a backdoor that supports command execution, file management, shell creation, SOCKS proxy, and network traffic tunneling.

Also observed is another malicious SparkGateway plugin dubbed PITDOG that injects a shared object known as PITHOOK in order to persistently execute an implant referred to as PITSTOP that’s designed for shell command execution, file write, and file read on the compromised appliance.

Mandiant described the threat actor as having demonstrated a “nuanced understanding of the appliance and their ability to subvert detection throughout this campaign” and using living-off-the-land (LotL) techniques to fly under the radar.

The cybersecurity firm said it expects “UNC5325 as well as other China-nexus espionage actors to continue to leverage zero day vulnerabilities on network edge devices as well as appliance-specific malware to gain and maintain access to target environments.”

Links Found Between Volt Typhoon and UTA0178

The disclosure comes as industrial cybersecurity company Dragos attributed China-sponsored Volt Typhoon (aka Voltzite) to reconnaissance and enumeration activities aimed at multiple U.S.-based electric companies, emergency services, telecommunication providers, defense industrial bases, and satellite services.

“Voltzite’s actions towards U.S. electric entities, telecommunications, and GIS systems signify clear objectives to identify vulnerabilities within the country’s critical infrastructure that can be exploited in the future with destructive or disruptive cyber attacks,” it said.

Volt Typhoon’s victimology footprint has since expanded to include African electric transmission and distribution providers, with evidence connecting the adversary to UTA0178, a threat activity group linked to the zero-day exploitation of Ivanti Connect Secure flaws in early December 2023.

The cyber espionage actor, which heavily relies on LotL methods to sidestep detection, joins two other new groups, namely Gananite and Laurionite, that came to light in 2023, conducting long-term reconnaissance and intellectual property theft operations targeting critical infrastructure and government entities.

“Voltzite uses very minimal tooling and prefers to conduct their operations with as little a footprint as possible,” Dragos explained. “Voltzite heavily focuses on detection evasion and long-term persistent access with the assessed intent of long-term espionage and data exfiltration.”

A reverse engineering of the firmware running on Ivanti Pulse Secure appliances has revealed numerous weaknesses, once again underscoring the challenge of securing software supply chains.

Eclypsiusm, which acquired firmware version 9.1.18.2-24467.1 as part of the process, said the base operating system used by the Utah-based software company for the device is CentOS 6.4.

“Pulse Secure runs an 11-year-old version of Linux which hasn’t been supported since November 2020,” the firmware security company said in a report shared with The Hacker News.

The development comes as threat actors are capitalizing on a number of security flaws discovered in Ivanti Connect Secure, Policy Secure, and ZTA gateways to deliver a wide range of malware, including web shells, stealers, and backdoors.

The vulnerabilities that have come under active exploitation in recent months comprise CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. Last week, Ivanti also disclosed another bug in the software (CVE-2024-22024) that could permit threat actors to access otherwise restricted resources without any authentication.

In an alert published yesterday, web infrastructure company Akamai said it has observed “significant scanning activity” targeting CVE-2024-22024 starting February 9, 2024, following the publication of a proof-of-concept (PoC) by watchTowr.

Eclypsium said it leveraged a PoC exploit for CVE-2024-21893 that was released by Rapid7 earlier this month to obtain a reverse shell to the PSA3000 appliance, subsequently exporting the device image for follow-on analysis using the EMBA firmware security analyzer.

This not only uncovered a number of outdated packages – corroborating previous findings from security researcher Will Dormann – but also a number of vulnerable libraries that are cumulatively susceptible to 973 flaws, out of which 111 have publicly known exploits.

Number of scanning requests per day targeting CVE-2024-22024

Perl, for instance, hasn’t been updated since version 5.6.1, which was released 23 years ago on April 9, 2001. The Linux kernel version is 2.6.32, which reached end-of-life (EoL) as of March 2016.

“These old software packages are components in the Ivanti Connect Secure product,” Eclypsium said. “This is a perfect example as to why visibility into digital supply chains is important and why enterprise customers are increasingly demanding SBOMs from their vendors.”

Furthermore, a deeper examination of the firmware unearthed 1,216 issues in 76 shell scripts, 5,218 vulnerabilities in 5,392 Python files, in addition to 133 outdated certificates.

The issues don’t end there, for Eclypsium found a “security hole” in the logic of the Integrity Checker Tool (ICT) that Ivanti has recommended its customers to use in order to look for indicators of compromise (IoCs).

Specifically, the script has been found to exclude over a dozen directories such as /data, /etc, /tmp, and /var from being scanned, thereby hypothetically allowing an attacker to deploy their persistent implants in one of these paths and still pass the integrity check. The tool, however, scans the /home partition that stores all product-specific daemons and configuration files.

As a result, deploying the Sliver post-exploitation framework to the /data directory and executing ICT reports no issues, Eclypsium discovered, suggesting that the tool provides a “false sense of security.”

It’s worth noting that threat actors have also been observed tampering with the built-in ICT on compromised Ivanti Connect Secure devices in an attempt to sidestep detection.

In a theoretical attack demonstrated by Eclypsium, a threat actor could drop their next-stage tooling and store the harvested information in the /data partition and then abuse another zero-day flaw to gain access to the device and exfiltrate the data staged previously, all the while the integrity tool detects no signs of anomalous activity.

“There must be a system of checks and balances that allows customers and third-parties to validate product integrity and security,” the company said. “The more open this process is, the better job we can do to validate the digital supply chain, namely the hardware, firmware, and software components used in their products.”

“When vendors do not share information and/or operate a closed system, validation becomes difficult, as does visibility. Attackers will most certainly, as evidenced recently, take advantage of this situation and exploit the lack of controls and visibility into the system.”

Feb 13, 2024NewsroomVulnerability / Cyber Threat

Threat actors are leveraging a recently disclosed security flaw impacting Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy a backdoor codenamed DSLog on susceptible devices.

That’s according to findings from Orange Cyberdefense, which said it observed the exploitation of CVE-2024-21893 within hours of the public release of the proof-the-concept (PoC) code.

CVE-2024-21893, which was disclosed by Ivanti late last month alongside CVE-2024-21888, refers to a server-side request forgery (SSRF) vulnerability in the SAML module that, if successfully exploited, could permit access to otherwise restricted resources sans any authentication.

The Utah-based company has since acknowledged that the flaw has limited targeted attacks, although the exact scale of the compromises is unclear.

Then, last week, the Shadowserver Foundation revealed a surge in exploitation attempts targeting the vulnerability originating from over 170 unique IP addresses, shortly after both Rapid7 and AssetNote shared additional technical specifics.

Orange Cyberdefense’s latest analysis shows that compromises have been detected as early as February 3, with the attack targeting an unnamed customer to inject a backdoor that grants persistent remote access.

“The backdoor is inserted into an existing Perl file called ‘DSLog.pm,'” the company said, highlighting an ongoing pattern in which existing legitimate components – in this case, a logging module – are modified to add the malicious code.

DSLog, the implant, comes fitted with its own tricks to hamper analysis and detection, including embedding a unique hash per appliance, thereby making it impossible to use the hash to contact the same backdoor on another device.

The same hash value is supplied by the attackers to the User-Agent header field in an HTTP request to the appliance to allow the malware to extract the command to be executed from a query parameter called “cdi.” The decoded instruction is then run as the root user.

“The web shell does not return status/code when trying to contact it,” Orange Cyberdefense said. “There is no known way to detect it directly.”

It further observed evidence of threat actors erasing “.access” logs on “multiple” appliances in a bid to cover up the forensic trail and fly under the radar.

But by checking the artifacts that were created when triggering the SSRF vulnerability, the company said it was able to detect 670 compromised assets during an initial scan on February 3, a number that has dropped to 524 as of February 7.

In light of the continued exploitation of Ivanti devices, it’s highly recommended that “all customers factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment.”

Feb 09, 2024NewsroomVulnerability / Zero Day

Ivanti has alerted customers of yet another high-severity security flaw in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication.

The issue, tracked as CVE-2024-22024, is rated 8.3 out of 10 on the CVSS scoring system.

“An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication,” the company said in an advisory.

The company said it discovered the flaw during an internal review as part of its ongoing investigation into multiple security weaknesses in the products that have come to light since the start of the year, including CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893.

CVE-2024-22024 affects the following versions of the products –

• Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1)
• Ivanti Policy Secure (version 22.5R1.1)
• ZTA (version 22.6R1.3)

Patches for the bug are available in Connect Secure versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3, and 22.6R2.2; Policy Secure versions 9.1R17.3, 9.1R18.4, and 22.5R1.2; and ZTA versions 22.5R1.6, 22.6R1.5, and 22.6R1.7.

Ivanti said there is no evidence of active exploitation of the flaw, but with CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 coming under broad abuse, it’s imperative that users move quickly to apply the latest fixes.

Feb 06, 2024NewsroomCybersecurity / Vulnerability

A recently disclosed server-side request forgery (SSRF) vulnerability impacting Ivanti Connect Secure and Policy Secure products has come under mass exploitation.

The Shadowserver Foundation said it observed exploitation attempts originating from more than 170 unique IP addresses that aim to establish a reverse shell, among others.

The attacks exploit CVE-2024-21893 (CVSS score: 8.2), an SSRF flaw in the SAML component of Ivanti Connect Secure, Policy Secure, and Neurons for ZTA that allows an attacker to access otherwise restricted resources without authentication.

Ivanti had previously divulged that the vulnerability had been exploited in targeted attacks aimed at a “limited number of customers,” but cautioned the status quo could change post public disclosure.

That’s exactly what appears to have happened, especially following the release of a proof-of-concept (PoC) exploit by cybersecurity firm Rapid7 last week.

The PoC involves fashioning an exploit chain that combines CVE-2024-21893 with CVE-2024-21887, a previously patched command injection flaw, to achieve unauthenticated remote code execution.

It’s worth noting here that CVE-2024-21893 is an alias for CVE-2023-36661 (CVSS score: 7.5), an SSRF vulnerability present in the open-source Shibboleth XMLTooling library. It was fixed by the maintainers in June 2023 with the release of version 3.2.4.

Security researcher Will Dormann further pointed out other out-of-date open-source components used by Ivanti VPN appliances, such as curl 7.19.7, openssl 1.0.2n-fips, perl 5.6.1, psql 9.6.14, cabextract 0.5, ssh 5.3p1, and unzip 6.00, thus opening the door for more attacks.

The development comes as threat actors have found a way to bypass Ivanti’s initial mitigation, prompting the Utah-based company to release a second mitigation file. As of February 1, 2024, it has begun releasing official patches to address all the vulnerabilities.

Last week, Google-owned Mandiant revealed that several threat actors are leveraging CVE-2023-46805 and CVE-2024-21887 to deploy an array of custom web shells tracked as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE.

Palo Alto Networks Unit 42 said it observed 28,474 exposed instances of Ivanti Connect Secure and Policy Secure in 145 countries between January 26 and 30, 2024, with 610 compromised instances detected in 44 countries as of January 23, 2024.