The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on Friday urging agencies to mitigate vulnerabilities in Ivanti Connect Secure VPN devices and its Policy Secure tools.
CISA said it had observed “widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions,” which could pose “an unacceptable risk” to federal agencies.
According to the directive, successful exploitation of vulnerabilities would allow a threat actor to “move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems.”
“When exploited in tandem, these vulnerabilities allow a malicious threat actor to execute arbitrary commands on a vulnerable product,” the directive reads.
“This directive requires agencies to implement Ivanti’s published mitigation immediately to the affected products in order to prevent future exploitation,” it added.
“As this initial action does not remedy an active or past compromise, agencies are also required to run Ivanti’s External Integrity Checker Tool and take additional steps if indications of compromise are detected.”
“We are providing mitigation now while the patch is in development to prioritize the best interest of our customers. It is critical that you immediately take action to ensure you are fully protected,” the company stated.
CISA issued its directive just weeks after cyber security firm Volexity said it found active exploitation of two vulnerabilities allowing “unauthenticated remote code execution” in Ivanti Connect Secure VPN.
Researchers at Volexity suspected that a “Chinese nation-state-level threat actor” was behind the exploitation.
“These detections kicked off an incident response investigation across multiple systems that Volexity ultimately tracked back to the organization’s Internet-facing Ivanti Connect Secure (ICS) VPN appliance (formerly known as Pulse Connect Secure, or simply Pulse Secure).
“A closer inspection of the ICS VPN appliance showed that its logs had been wiped and logging had been disabled. Further review of historic network traffic from the device also revealed suspect outbound and inbound communication from its management IP address,” it stated.
Volexity said it discovered “two different zero-day exploits,” which were being chained together to achieve unauthenticated remote code execution.
“When combined, these two vulnerabilities make it trivial for attackers to run commands on the system,” the researchers said.
“In this particular incident, the attacker leveraged these exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance,” they added.
Volexity noted that the information and credentials collected by the attacker “allowed them to pivot to a handful of systems internally, and ultimately gain unfettered access to systems on the network.”
