SoatDev IT Consulting
SoatDev IT Consulting
  • About us
  • Expertise
  • Services
  • How it works
  • Contact Us
  • News
  • January 31, 2024
  • Rss Fetcher

Cyber authorities in the U.S. and Australia have issued new warnings to IT administrators to take more action to protect Ivanti Connect Secure and Policy Secure Gateways. At the same time, Ivanti revealed that two new vulnerabilities for the devices have been discovered, on top of a pair revealed earlier this month.
The latest vulnerabilities are CVE-2024-21888, a privilege escalation vulnerability affecting Policy Secure, and CVE-2024-21893, a server-side request forgery vulnerability affecting supported versions of Connect Secure and Policy Secure Gateways.
Ivanti today issued a patch for Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3. that covers the new holes. More patches are coming.
“Out of an abundance of caution, we are recommending as a best practice that customers factory reset their appliance before applying the patch, to prevent the threat actor from gaining upgrade persistence in your environment,” Ivanti said this morning.  Customers should expect the reset process to take three to four hours.
The remaining patches for supported versions will still be released on a staggered schedule, Ivanti adds.
Australia’s Cyber Security Centre said this morning it is aware of reports that threat actors have developed workarounds to some mitigation and detection methods, leading to reported ongoing exploitation activity.
The Centre “strongly advises organizations operating vulnerable Ivanti Connect Secure and Ivanti Policy Secure products to conduct investigation and monitoring for potential compromise of systems,” the alert says. IT administrators should monitor authentication, account usage and identity management services, and consider isolating systems from any enterprise resources as much as possible.
The U.S. issued a similar warning on Tuesday.
“Threat actors are continuing to leverage vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways to capture credentials and/or drop webshells that enable further compromise of enterprise networks,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said. “Some threat actors have recently developed workarounds to current mitigations and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without detection. CISA is aware of instances in which sophisticated threat actors have subverted the external integrity checker tool (ICT), further minimizing traces of their intrusion.”
If an organization has been running Ivanti Connect Secure (9.x and 22.x) and Policy Secure gateways over the last several weeks and/or continues to run these products, CISA recommends continuous threat hunting on any systems connected to — or recently connected to — the Ivanti device. Additionally, it said, organizations should monitor authentication, account usage, and identity management services that could be exposed, and isolate the system(s) from any enterprise resources as much as possible.
After applying patches, when these become available, CISA recommends that organizations continue to hunt their networks to detect any compromise that may have occurred before patches were implemented.
These warnings to take mitigation action come almost three weeks after Ivanti issued its first alert of an authentication bypass vulnerability (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887) in the devices.
Also today, Mandiant issued an update to its background blog on the vulnerabilities.  Mandiant has identified zero-day exploitation of these vulnerabilities in the wild, beginning as early as Dec. 3, 2023, by a suspected China-nexus espionage threat actor.
Mandiant notes that a threat actor found a way to get around Ivanti’s recommended mitigation, released Jan. 10, for the first pair of vulnerabilities. That bypass led to the deployment of a custom webshell. Mandiant believes the mitigation bypass activity is “highly targeted, limited, and is distinct from the post-advisory mass exploitation activity.” However, using Ivanti’s external integrity checker tool (ICT) successfully detected the presence of the new webshell.
Mandiant notes Ivanti’s external ICT should be used by IT administrators for reviewing logs, because it is more robust and resistant to tampering than the internal version.
The blog also outlines indicators of compromise.The post Warning: Threat actors getting around some Ivanti mitigations first appeared on IT World Canada.

Previous Post
Next Post

Recent Posts

  • Build, don’t bind: Accel’s Sonali De Rycker on Europe’s AI crossroads
  • OpenAI’s planned data center in Abu Dhabi would be bigger than Monaco
  • Google I/O 2025: What to expect, including updates to Gemini and Android 16
  • Thousands of people have embarked on a virtual road trip via Google Street View
  • How Silicon Valley’s influence in Washington benefits the tech elite

Categories

  • Industry News
  • Programming
  • RSS Fetched Articles
  • Uncategorized

Archives

  • May 2025
  • April 2025
  • February 2025
  • January 2025
  • December 2024
  • November 2024
  • October 2024
  • September 2024
  • August 2024
  • July 2024
  • June 2024
  • May 2024
  • April 2024
  • March 2024
  • February 2024
  • January 2024
  • December 2023
  • November 2023
  • October 2023
  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • May 2023
  • April 2023

Tap into the power of Microservices, MVC Architecture, Cloud, Containers, UML, and Scrum methodologies to bolster your project planning, execution, and application development processes.

Solutions

  • IT Consultation
  • Agile Transformation
  • Software Development
  • DevOps & CI/CD

Regions Covered

  • Montreal
  • New York
  • Paris
  • Mauritius
  • Abidjan
  • Dakar

Subscribe to Newsletter

Join our monthly newsletter subscribers to get the latest news and insights.

© Copyright 2023. All Rights Reserved by Soatdev IT Consulting Inc.