Security experts believe Chinese nation-state attackers are actively exploiting two zero-day vulnerabilities in security products made by Ivanti.
If you’re an admin or a user of the two products affected, VPN service Ivanti Connect Secure (ICS) and network access control toolkit Policy Secure, you should immediately apply the current workaround in Ivanti’s security update, the US Cybersecurity and Infrastructure Security Agency (CISA) warned last night.
ICS is used widely in enterprises and governments, and more victims are likely to surface now the vulnerabilities have been disclosed, according security researcher Kevin Beaumont.
Successful exploitation allows for code execution after bypassing authentication, including MFA, and the vulnerabilities affect all supported versions, Ivanti said.
Ivanti believes fewer than ten victims have been successfully attacked thus far, but according to a Shodan scan by Beaumont, the number of vulnerable gateways exposed to the internet is just north of 15,000. Ivanti is still developing patches, although the mitigation is available here.
Researchers at Volexity disclosed the findings from an investigation into a customer believed to be one of the victims successfully targeted by attacks chaining two zero-days in Ivanti Connect Secure (ICS) and Policy Secure gateways.
While exploitation volume appears currently low, the disclosure of the two vulnerabilities means there is always the likelihood of attackers targeting organizations en masse now they know who and what to target.
“When combined, these two vulnerabilities make it trivial for attackers to run commands on the system,” blogged Volexity researchers Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair, and Thomas Lancaster.
“In [one] particular incident, the attacker leveraged these exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance. Volexity observed t ..
Support the originator by clicking the read the rest link below.
