Skip to content
Upcoming Webinar: Unleash the Power of Censys Search with Em Averton | June 27 at 1PM ET | Register Now
Blogs

The Mass Exploitation of Ivanti Connect Secure

Compromised Ivanti Connect Secure IPs

Update January 31, 2024:

Two new vulnerabilities, CVE-2024-21893 and CVE-2024-21888, have been identified in Connect Secure, Policy Secure, and ZTA gateways, the former of which is seeing active exploitation. Ivanti has released a new mitigation that serves as a workaround until official patches are available.

A patch is now available for the previously disclosed CVE-2023-46805 and CVE-2024-21887 in Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3. In their advisory, Ivanti recommends a factory reset of the appliance before applying the patch as a precautionary measure. Customers who have applied this patch do not need to implement the mitigation.

Summary

  • CISA’s Emergency Directive 24-01, issued last Friday, requires all FCEB agencies to  mitigate an exploit chain in Ivanti Connect Secure and Policy Secure, currently seeing mass exploitation (CVE-2023-46805 and CVE-2024-21887)
  • When these two CVEs are used, an unauthenticated threat actor can leverage these vulnerabilities to execute arbitrary commands on vulnerable servers.
  • As of Monday, January 22, 2024, Censys observed:
    • Over 26,000 unique Connect Secure hosts are exposed on the public internet. This software’s supported versions (9.x and 22.x) are vulnerable if the reported workarounds/mitigations are not applied to the device.
    • 412 hosts remain compromised with a backdoor used for credential theft.
  • At the time of writing, no official patch has been made available. However, Ivanti has published recovery steps for customers to mitigate their systems in the interim. It’s strongly recommended that you apply this mitigation ASAP and run your systems against the vendor’s Integrity Checker Tool to check for compromise.

Last Friday, CISA issued Emergency Directive 24-01 mandating all Federal Civilian Executive Branch (FCEB) agencies to address two actively exploited vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure. These vulnerabilities, CVE-2023-46805 (an authentication bypass vulnerability) and CVE-2024-21887 (a command-injection vulnerability), when exploited in combination, allow malicious actors to achieve remote code execution (RCE) on vulnerable servers. All supported versions, including Version 9.x and 22.x, are affected by these vulnerabilities (refer to Ivanti’s version support matrix).

FCEB agencies had until 11:59 EST on Monday, January 22, to implement Ivanti’s recovery steps, run the vendor’s Integrity Checker Tool, and take additional action if signs of compromise were detected.

This directive is no surprise, considering the worldwide mass exploitation observed since Ivanti initially revealed the vulnerabilities on January 10. These vulnerabilities are particularly serious given the severity, widespread exposure of these systems, and the complexity of mitigation – especially given the absence of an official patch from the vendor as of the current writing. Ivanti outlined a plan to release patches on a staggered schedule beginning this week.

Volexity researchers first identified exploitation attempts dating back to December 2023. Subsequent analysis revealed that the initial activity was likely the work of an unidentified threat actor tracked by Volexity as “UTA0178.” A Proof of Concept was published on January 16.

Censys researchers conducted scans to dig deeper into the extent of compromised servers.

Censys Findings

As of Monday, January 22, 2024, Censys observed the following: 

 

Description Value
Number of Unique Connect Secure Hosts 26,095
Number of Unique Compromised Connect Secure Hosts 412
Percentage of Hosts Compromised 1.5%
Number of Unique Credential Stealing Receivers / Callback URLs 22
Compromised hosts per Autonomous System
Autonomous System Compromised Host Count
MICROSOFT-CORP-MSN 13
AMAZON-02 12
COMCAST-7922 10
DTAG ISP 10
KIXS-AS-KR 7
OCN NTT Communications 6
COLT-GROUP 6
SKB-AS SK 6
UUNET 6
CHINANET-BACKBONE 6
Compromised hosts per Country
Autonomous System Compromised Host Count
United States 121
Germany 26
South Korea 24
China 21
Japan 21
Hong Kong 17
United Kingdom 17
Canada 13
Italy 13
Netherlands 11

In their research, Volexity noted that a legitimate javascript component (/dana-na/auth/lastauthserverused.js),  used to remember the last selected authentication realm, had been found to have been modified by attackers to include various mechanisms to hijack and exfiltrate client login information. This backdoored javascript would send the usernames, passwords, and the URL of the attempted authentication back to an attacker-owned HTTP server.

We conducted a secondary scan on all Ivanti Connect Secure servers in our dataset and found 412 unique hosts with this backdoor. Additionally, we found 22 distinct “variants” (or unique callback methods), which could indicate multiple attackers or a single attacker evolving their tactics.

Censys Search customers can use the following query to identify Ivanti Connect Secure hosts.

services.software.cpe: `cpe:2.3:a:ivanti:connect_secure:*:*:*:*:*:*:*:*`

About the Author

The Censys Research Team
Attack Surface Management Solutions
Learn more