CISA Issues Emergency Guidance to Federal Agencies on Ivanti Zero-Day Exploits

CISA Issues Emergency Directive

The US Cybersecurity and Infrastructure Security Agency (CISA) released a report on Friday emergency directive Urge Federal Civilian Executive Branch (FCEB) agencies to take action against two actively exploited zero-day flaws in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products.

The development came after the vulnerabilities – an authentication bypass (CVE-2023-46805) and a code injection bug (CVE-2024-21887) – were widely exploited by multiple threat actors. The flaws allow a malicious actor to craft malicious requests and execute arbitrary commands on the system.

The American company recognized in an advisory that it witnessed a “sharp increase in threat actor activity” from January 11, 2024, after the deficiencies were made public.

“Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, conduct data exfiltration, and establish persistent system access, resulting in complete compromise of target information systems,” the agency said. said.

Ivanti, which is expected to release an update to fix the bugs next week, has made a workaround available via an XML file that can be imported into affected products to make the necessary configuration changes.

CISA urges organizations using ICS to apply the mitigation and run an External Integrity Checker Tool to identify signs of compromise, and if found, disconnect from the networks and reset the device, followed by importing the XML file.

Furthermore, FCEB entities are insisted to revoke and reissue saved certificates, reset the administrator password, save API keys, and reset the passwords of any local user defined on the gateway.

Cybersecurity companies Volexity and Mandiant have observed attacks that weaponize the twin flaws by deploying web shells and passive backdoors for persistent access to compromised devices. It is estimated that as many as 2,100 devices have been compromised worldwide to date.

The first wave of attacks identified in December 2023 is attributed to a Chinese nation-state group tracked as UTA0178. Mandiant is monitoring the activity under the name UNC5221, although it is not associated with any specific group or country.

Threat intelligence firm GreyNoise said this is also the case noticed the vulnerabilities are being exploited to drop persistent backdoors and XMRig cryptocurrency miners, indicating opportunistic exploitation by bad actors for financial gain.

#CISA #Issues #Emergency #Guidance #Federal #Agencies #Ivanti #ZeroDay #Exploits

Notify of
Inline Feedbacks
View all comments
Previous Post
Apache ActiveMQ flaw exploited in new Godzilla Web Shell attacks

Apache ActiveMQ flaw exploited in new Godzilla Web Shell attacks

Next Post
Russia-Linked APT Attack

The emails of Microsoft’s top executives have been breached in a sophisticated Russia-linked APT attack

Related Posts