1 March 2024
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI External Link ), Multi-State Information Sharing & Analysis Center (MS-ISAC External Link ), Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC External Link ), United Kingdom’s National Cyber Security Centre (NCSC External Link ), Canadian Centre for Cyber Security (Cyber Centre External Link ), a part of the Communications Security Establishment, and New Zealand’s National Cyber Security Centre (NCSC-NZ External Link ) and Computer Emergency Response Team (CERT-NZ) released a Cybersecurity Advisory (CSA) today in response to the active exploitation of multiple vulnerabilities within Ivanti Connect Secure and Ivanti Policy Secure gateways.
The authoring agencies and industry partners have observed persistent targeting of these vulnerabilities by a variety of cyber threat actors. These vulnerabilities (CVE-2023-46805 External Link , CVE-2024-21887 External Link , CVE- 2024-22024 External Link , and CVE-2024-21893 External Link ) can be used in a chain of exploits to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges. In turn, exploitation of these vulnerabilities may allow lateral movement, data exfiltration, web shell deployment, credential theft including domain administrators, and persistent access on a target network.
This joint advisory provides technical details on observed tactics used by these threat actors and indicators of compromise to help organizations detect malicious activity. All organizations using these devices should assume a sophisticated threat actor could achieve persistence and may lay dormant for a period of time before conducting malicious activity. Organizations are urged to exercise due caution in making appropriate risk decisions when considering whether to continue operating these devices.
“This advisory clearly shows that malicious actors are continuing to seek out, and actively exploit, vulnerabilities in commonly used technology and software”, said Rob Pope, Director CERT NZ, a part of New Zealand’s National Cyber Security Centre. “Businesses need to stay alert to these vulnerabilities and immediately follow all steps to mitigate or prevent attacks from happening. We strongly recommend that anyone working in the IT sector sign up for updates from their country’s cyber security agencies to stay ahead of the bad guys.”
“Since initial disclosure of these vulnerabilities, CISA and our partners have urgently worked to provide actionable guidance and assist impacted victims. This includes an emergency directive External Link to remove and rebuild vulnerable Ivanti devices to reduce risk to federal systems upon which Americans depend,” said CISA Executive Assistant Director Eric Goldstein. “Today’s joint advisory will assist organizations in protecting their networks. Every organization and sector using these products are at risk and are strongly encouraged to adopt the actions outlined in this advisory.”
“The FBI and our partners are releasing this Cybersecurity Advisory so that organizations are able to protect themselves from malicious actors exploiting their networks,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “Private and public sector entities should follow the guidance included in this advisory to ensure these critical vulnerabilities are mitigated.”
“The continued targeting of widely used security applications and appliances speaks to the determination of cyber threat actors, with government entities and private organizations alike caught in the crosshairs. Implementing effective controls in areas like asset and vulnerability management, multi-factor authentication, and incident response planning are essential to operational resilience amid today's fast-moving threat landscape,” said Randy Rose, VP, Security Operations & Intelligence, Center for Internet Security, Inc.
“We strongly urge all organisations to patch and take other recommended actions to address this vulnerability. We know it is subject to exploitation by malicious actors who use it to bypass authentication mechanisms and access restricted data on affected devices,” said the acting Head of the Australian Cyber Security Centre, Phil Winzenberg. “If your organisation is using these products, it’s crucial that the guidance in this advisory is implemented immediately, in particular I urge critical infrastructure operators to be alert to new risks.”
“We encourage organisations who have not already to take immediate action to mitigate vulnerabilities impacting affected Ivanti devices by following the recommended steps. This is particularly important for those organisations working across critical infrastructure, as we are aware of the active exploitation of some of these vulnerabilities,” said UK NCSC Chief Technology Officer Ollie Whitehouse. “The NCSC and our international partners also urge software manufacturers to embed secure by design principles into their practices to promote a positive security culture and help improve our collective resilience.”
“Today we join our partners across the Five Eyes to urge organizations in Canada and internationally to follow the advice included in today’s joint advisory as quickly as possible. These vulnerabilities can significantly impact organizations’ networks, emphasizing the need for organizations to implement resilient defence-in-depth mitigations and for manufacturers to prioritize secure by design engineering practices,” said Rajiv Gupta, Associate Head, Canadian Centre for Cyber Security.
To assist organizations with understanding the impacts of this threat, the joint advisory provides key findings from a variety of tests conducted by CISA from an attacker’s perspective.
With our partners, CISA recommends that software manufacturers incorporate secure-by-design and -default principles and tactics into their software development practices. By aligning to these principles, we will reduce the prevalence and impact of avoidable vulnerabilities and insecure configurations that jeopardize the safety of organizations around the world.
All organizations are urged to review the advisory and implement recommended actions and mitigations.