Apr 04, 2024NewsroomNetwork Security / Vulnerability

Ivanti has released security updates to address four security flaws impacting Connect Secure and Policy Secure Gateways that could result in code execution and denial-of-service (DoS).

The list of flaws is as follows –

• CVE-2024-21894 (CVSS score: 8.2) – A heap overflow vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack. In certain conditions, this may lead to execution of arbitrary code.

• CVE-2024-22052 (CVSS score: 7.5) – A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack.

• CVE-2024-22053 (CVSS score: 8.2) – A heap overflow vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack or in certain conditions read contents from memory.

• CVE-2024-22023 (CVSS score: 5.3) – An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in order to temporarily cause resource exhaustion thereby resulting in a limited-time DoS.

The company, which has been grappling with a steady stream of security flaws in its products since the start of the year, said it’s not aware of “any customers being exploited by these vulnerabilities at the time of disclosure.”

Late last month, Ivanti shipped patches for critical shortcoming in its Standalone Sentry product (CVE-2023-41724, CVSS score: 9.6) that could permit an unauthenticated threat actor to execute arbitrary commands on the underlying operating system.

It also resolved another critical flaw impacting on-premises versions of Neurons for ITSM (CVE-2023-46808, CVSS score: 9.9) that an authenticated remote attacker could abuse in order to perform arbitrary file writes and obtain code execution.

In an open letter published on April 3, 2023, Ivanti’s CEO Jeff Abbott said the company is taking a “close look” at its own posture and processes to meet the requirements of the current threat landscape.

Abbott also said “events in recent months have been humbling” and that it’s executing a plan that essentially changes its security operating model by adopting secure-by-design principles, sharing information with customers with complete transparency, and rearchitecting its engineering, security, and vulnerability management practices.

“We are intensifying our internal scanning, manual exploitation and testing capabilities, engaging trusted third parties to augment our internal research and facilitating responsible disclosure of vulnerabilities with increased incentives around an enhanced bug bounty program,” Abbott said.

Mar 25, 2024The Hacker NewsData Breach / Password Security

In January 2024, Microsoft discovered they’d been the victim of a hack orchestrated by Russian-state hackers Midnight Blizzard (sometimes known as Nobelium). The concerning detail about this case is how easy it was to breach the software giant. It wasn’t a highly technical hack that exploited a zero-day vulnerability – the hackers used a simple password spray attack to take control of an old, inactive account. This serves as a stark reminder of the importance of password security and why organizations need to protect every user account.

Password spraying: A simple yet effective attack

The hackers gained entry by using a password spray attack in November 2023, Password spraying is a relatively simple brute force technique that involves trying the same password against multiple accounts. By bombarding user accounts with known weak and compromised passwords, the attackers were able to gain access to a legacy non-production test account within the Microsoft system which provided them with an initial foothold in the environment. This account either had unusual privileges or the hackers escalated them.

The attack lasted for as long as seven weeks, during which the hackers exfiltrated emails and attached documents. This data compromised a ‘very small percentage’ of corporate email accounts, including those belonging to senior leadership and employees in the Cybersecurity and Legal teams. Microsoft’s Security team detected the hack on January 12th and took immediate action to disrupt the hackers’ activities and deny them further access.

However, the fact that the hackers were able to access such sensitive internal information highlights the potential damage that can be caused by compromising even seemingly insignificant accounts. All attackers need is an initial foothold within your organization.

The importance of protecting all accounts

While organizations often prioritize the protection of privileged accounts, the attack on Microsoft demonstrates that every user account is a potential entry point for attackers. Privilege escalation means that attackers can achieve their goals without necessarily needing a highly privileged admin account as an entry point.

Protecting an inactive low-privileged account is just as crucial as safeguarding a high-privileged admin account for several reasons. First, attackers often target these overlooked accounts as potential entry points into a network. Inactive accounts are more likely to have weak or outdated passwords, making them easier targets for brute force attacks. Once compromised, attackers can use these accounts to move laterally within the network, escalating their privileges and accessing sensitive information.

Second, inactive accounts are often neglected in terms of security measures, making them attractive targets for hackers. Organizations may overlook implementing strong password policies or multi-factor authentication for these accounts, leaving them vulnerable to exploitation. From an attacker’s perspective, even low-privileged accounts can provide valuable access to certain systems or data within an organization.

Defend against password spray attacks

The Microsoft hack serves as a wake-up call for organizations to prioritize the security of every user account. It highlights the critical need for robust password protection measures across all accounts, regardless of their perceived significance. By implementing strong password policies, enabling multi-factor authentication, conducting regular Active Directory audits, and continuously scanning for compromised passwords, organizations can significantly reduce the risk of being caught out in the same way.

1. Active Directory auditing: Conducting regular audits of Active Directory can provide visibility into unused and inactive accounts, as well as other password-related vulnerabilities. Audits provide a valuable snapshot of your Active Directory but should always be complemented by ongoing risk mitigation efforts. If you’re lacking visibility into your organization’s inactive and stale user accounts, consider running a read-only audit with our free auditing tool that gives an interactive exportable report: Specops Password Auditor.
2. Robust password policies: Organizations should enforce strong password policies that block weak passwords, such as common terms or keyboard walks like ‘qwerty’ or ‘123456.’ Implementing long, unique passwords or passphrases is a strong defense against brute-force attacks. Custom dictionaries that block terms related to the organization and industry should also be included.
3. Multi-factor authentication (MFA): Enabling MFA adds an authentication roadblock for hackers to overcome. MFA serves as an important layer of defense, although it’s worth remembering that MFA isn’t foolproof. It needs to be combined with strong password security.
4. Compromised password scans: Even strong passwords can become compromised if end users reuse them on personal devices, sites, or applications with weak security. Implementing tools to continuously scan your Active Directory for compromised passwords can help identify and mitigate potential risks.

Continuously shut down attack routes for hackers

The Microsoft hack underscores the need for organizations to implement robust password protection measures across all accounts. A secure password policy is essential, ensuring that all accounts, including legacy, non-production, and testing accounts, aren’t overlooked. Additionally, blocking known compromised credentials adds an extra layer of protection against active attacks.

Specops Password Policy with Breached Password Protection offers automated, ongoing protection for your Active Directory. It protects your end users against the use of more than 4 billion unique known compromised passwords, including data from both known leaks as well as our own honeypot system that collects passwords being used in real password spray attacks.

The daily update of the Breached Password Protection API, paired with continuous scans for the use of those passwords in your network, equals a much more comprehensive defense against the threat of password attack and the risk of password reuse. Speak to expert today to find out how Specops Password Policy could fit in with your organization.

Mar 20, 2024The Hacker NewsArtificial intelligence / Webinar

Did you know that 79% of organizations are already leveraging Generative AI technologies? Much like the internet defined the 90s and the cloud revolutionized the 2010s, we are now in the era of Large Language Models (LLMs) and Generative AI.

The potential of Generative AI is immense, yet it brings significant challenges, especially in security integration. Despite their powerful capabilities, LLMs must be approached with caution. A breach in an LLM’s security could expose the data it was trained on, along with sensitive organizational and user information, presenting a considerable risk.

Join us for an enlightening session with Elad Schulman, CEO & Co-Founder of Lasso Security, and Nir Chervoni, Booking.com’s Head of Data Security. They will share their real-world experiences and insights into securing Generative AI technologies.

Why Attend?

This webinar is a must for IT professionals, security experts, business leaders, and anyone fascinated by the future of Generative AI and security. It’s your comprehensive guide to the complexities of securing innovation in the age of generative artificial intelligence.

What You’ll Learn:

• How GenAI is Reshaping Business Operations: Explore the current state of GenAI and LLM adoption through statistics and insightful business case studies.
• Understanding Security Risks: Dive into the emerging security threats posed by Generative AI.
• Effective Security Strategies for Businesses: Gain insights into proven strategies to navigate GenAI security challenges.
• Best Practices and Tools: Discover best practices and tools for effectively securing GenAI applications and models.

Mar 08, 2024NewsroomNetwork Security / Vulnerability

Cisco has released patches to address a high-severity security flaw impacting its Secure Client software that could be exploited by a threat actor to open a VPN session with that of a targeted user.

The networking equipment company described the vulnerability, tracked as CVE-2024-20337 (CVSS score: 8.2), as allowing an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user.

Arising as a result of insufficient validation of user-supplied input, a threat actor could leverage the flaw to trick a user into clicking on a specially crafted link while establishing a VPN session.

“A successful exploit could allow the attacker to execute arbitrary script code in the browser or access sensitive, browser-based information, including a valid SAML token,” the company said in an advisory.

“The attacker could then use the token to establish a remote access VPN session with the privileges of the affected user. Individual hosts and services behind the VPN headend would still need additional credentials for successful access.”

The vulnerability impacts Secure Client for Windows, Linux, and macOS, and has been addressed in the following versions –

• Earlier than 4.10.04065 (not vulnerable)
• 4.10.04065 and later (fixed in 4.10.08025)
• 5.0 (migrate to a fixed release)
• 5.1 (fixed in 5.1.2.42)

Amazon security researcher Paulos Yibelo Mesfin has been credited with discovering and reporting the flaw, telling The Hacker News that the shortcoming allows attackers to access local internal networks when a target visits a website under their control.

Cisco has also published fixes for CVE-2024-20338 (CVSS score: 7.3), another high-severity flaw in Secure Client for Linux that could permit an authenticated, local attacker to elevate privileges on an affected device. It has been resolved in version 5.1.2.42.

“An attacker could exploit this vulnerability by copying a malicious library file to a specific directory in the filesystem and persuading an administrator to restart a specific process,” it said. “A successful exploit could allow the attacker to execute arbitrary code on an affected device with root privileges.”

A reverse engineering of the firmware running on Ivanti Pulse Secure appliances has revealed numerous weaknesses, once again underscoring the challenge of securing software supply chains.

Eclypsiusm, which acquired firmware version 9.1.18.2-24467.1 as part of the process, said the base operating system used by the Utah-based software company for the device is CentOS 6.4.

“Pulse Secure runs an 11-year-old version of Linux which hasn’t been supported since November 2020,” the firmware security company said in a report shared with The Hacker News.

The development comes as threat actors are capitalizing on a number of security flaws discovered in Ivanti Connect Secure, Policy Secure, and ZTA gateways to deliver a wide range of malware, including web shells, stealers, and backdoors.

The vulnerabilities that have come under active exploitation in recent months comprise CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. Last week, Ivanti also disclosed another bug in the software (CVE-2024-22024) that could permit threat actors to access otherwise restricted resources without any authentication.

In an alert published yesterday, web infrastructure company Akamai said it has observed “significant scanning activity” targeting CVE-2024-22024 starting February 9, 2024, following the publication of a proof-of-concept (PoC) by watchTowr.

Eclypsium said it leveraged a PoC exploit for CVE-2024-21893 that was released by Rapid7 earlier this month to obtain a reverse shell to the PSA3000 appliance, subsequently exporting the device image for follow-on analysis using the EMBA firmware security analyzer.

This not only uncovered a number of outdated packages – corroborating previous findings from security researcher Will Dormann – but also a number of vulnerable libraries that are cumulatively susceptible to 973 flaws, out of which 111 have publicly known exploits.

Number of scanning requests per day targeting CVE-2024-22024

Perl, for instance, hasn’t been updated since version 5.6.1, which was released 23 years ago on April 9, 2001. The Linux kernel version is 2.6.32, which reached end-of-life (EoL) as of March 2016.

“These old software packages are components in the Ivanti Connect Secure product,” Eclypsium said. “This is a perfect example as to why visibility into digital supply chains is important and why enterprise customers are increasingly demanding SBOMs from their vendors.”

Furthermore, a deeper examination of the firmware unearthed 1,216 issues in 76 shell scripts, 5,218 vulnerabilities in 5,392 Python files, in addition to 133 outdated certificates.

The issues don’t end there, for Eclypsium found a “security hole” in the logic of the Integrity Checker Tool (ICT) that Ivanti has recommended its customers to use in order to look for indicators of compromise (IoCs).

Specifically, the script has been found to exclude over a dozen directories such as /data, /etc, /tmp, and /var from being scanned, thereby hypothetically allowing an attacker to deploy their persistent implants in one of these paths and still pass the integrity check. The tool, however, scans the /home partition that stores all product-specific daemons and configuration files.

As a result, deploying the Sliver post-exploitation framework to the /data directory and executing ICT reports no issues, Eclypsium discovered, suggesting that the tool provides a “false sense of security.”

It’s worth noting that threat actors have also been observed tampering with the built-in ICT on compromised Ivanti Connect Secure devices in an attempt to sidestep detection.

In a theoretical attack demonstrated by Eclypsium, a threat actor could drop their next-stage tooling and store the harvested information in the /data partition and then abuse another zero-day flaw to gain access to the device and exfiltrate the data staged previously, all the while the integrity tool detects no signs of anomalous activity.

“There must be a system of checks and balances that allows customers and third-parties to validate product integrity and security,” the company said. “The more open this process is, the better job we can do to validate the digital supply chain, namely the hardware, firmware, and software components used in their products.”

“When vendors do not share information and/or operate a closed system, validation becomes difficult, as does visibility. Attackers will most certainly, as evidenced recently, take advantage of this situation and exploit the lack of controls and visibility into the system.”

Feb 09, 2024NewsroomVulnerability / Zero Day

Ivanti has alerted customers of yet another high-severity security flaw in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication.

The issue, tracked as CVE-2024-22024, is rated 8.3 out of 10 on the CVSS scoring system.

“An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication,” the company said in an advisory.

The company said it discovered the flaw during an internal review as part of its ongoing investigation into multiple security weaknesses in the products that have come to light since the start of the year, including CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893.

CVE-2024-22024 affects the following versions of the products –

• Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1)
• Ivanti Policy Secure (version 22.5R1.1)
• ZTA (version 22.6R1.3)

Patches for the bug are available in Connect Secure versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3, and 22.6R2.2; Policy Secure versions 9.1R17.3, 9.1R18.4, and 22.5R1.2; and ZTA versions 22.5R1.6, 22.6R1.5, and 22.6R1.7.

Ivanti said there is no evidence of active exploitation of the flaw, but with CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 coming under broad abuse, it’s imperative that users move quickly to apply the latest fixes.

Jan 11, 2024NewsroomCybersecurity / Zero-Day

A pair of zero-day flaws identified in Ivanti Connect Secure (ICS) and Policy Secure have been chained by suspected China-linked nation-state actors to breach less than 10 customers.

Cybersecurity firm Volexity, which identified the activity on the network of one of its customers in the second week of December 2023, attributed it to a hacking group it tracks under the name UTA0178. There is evidence to suggest that the VPN appliance may have been compromised as early as December 3, 2023.

The two vulnerabilities that have been exploited in the wild to achieve unauthenticated command execution on the ICS device are as follows –

• CVE-2023-46805 (CVSS score: 8.2) – An authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

• CVE-2024-21887 (CVSS score: 9.1) – A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

The vulnerabilities can be fashioned into an exploit chain to take over susceptible instances over the internet.

“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system,” Ivanti said in an advisory.

The company said it has observed attempts on the part of the threat actors to manipulate Ivanti’s internal integrity checker (ICT), which offers a snapshot of the current state of the appliance.

Patches are expected to be released in a staggered manner starting from the week of January 22, 2024. In the interim, users have been recommended to apply a workaround to safeguard against potential threats.

In the incident analyzed by Volexity, the twin flaws are said to have been employed to “steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance.”

The attacker further modified a legitimate CGI file (compcheck.cgi) on the ICS VPN appliance to allow command execution. In addition, a JavaScript file loaded by the Web SSL VPN login page was altered to log keystrokes and exfiltrate credentials associated with users logging into the device.

“The information and credentials collected by the attacker allowed them to pivot to a handful of systems internally, and ultimately gain unfettered access to systems on the network,” Volexity researchers Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair, and Thomas Lancaster said.

The attacks are also characterized by reconnaissance efforts, lateral movement, and the deployment of a custom web shell dubbed GLASSTOKEN via the backdoored CGI file to maintain persistent remote access to the external-facing web servers.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in an alert of its own, said it has added the two shortcomings to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by January 31, 2024.

“Internet-accessible systems, especially critical devices like VPN appliances and firewalls, have once again become a favorite target of attackers,” Volexity said.

“These systems often sit on critical parts of the network, cannot run traditional security software, and typically sit at the perfect place for an attacker to operate. Organizations need to make sure they have a strategy in place to be able to monitor activity from these devices and quickly respond if something unexpected occurs.”