Threat Vector 2.5.24
Ep 15 | 2.5.24

Beyond the Breach: Strategies Against Ivanti Vulnerabilities


Ingrid Parker: These Ivanti vulnerabilities are being actively exploited by a wide variety of threat actors, so you really need to take action now. This is not something that is an area where you can really wait.

David Moulton: Welcome to Threat Vector, a podcast where Unit 42 shares unique threat intelligence insights, new threat actor TTPs, and real-world case studies. Unit 42 has a global team of threat intelligence experts, incident responders, and proactive security consultants, dedicated to safeguarding our digital world. I'm your host David Moulton, director of Thought Leadership for Unit 42. [ Music ] In today's episode, I'm joined by Sam Rubin, global head of operations for Unit 42, and Ingrid Parker, senior manager for Unit 42's Intel Response Unit. We're going to discuss the escalating situation related to two new Ivanti vulnerabilities found in Ivanti Connect Secure and Policy Secure products. Sam, Ingrid, thanks for joining me today on Threat Vector. Let's get right into it. Sam, software vulnerabilities are actually pretty common. What makes these last two Ivanti vulnerabilities so critical?

Sam Rubin: Yeah, thanks, David. So I think the first thing to point out is that, yes, software vulnerabilities are common, but anytime it's on something like a VPN concentrator, people take notice. This is how you authenticate to a network or an organization from the outside from the Internet. So if that has a vulnerability, we've got something to pay attention to. And then in particular with respect to the Ivanti situation, we have this series of vulnerabilities that were identified over the month of January. We had two disclosed on January 10th and then two more on the 31st. And so this sort of string of continuing vulnerabilities that have been exploited got a lot of attention from the federal government sort of leading up to the US Cybersecurity and Infrastructure Security Agency (CISA) issuing a directive for all federal agencies to disconnect any affected Ivanti products no later than 11:59 PM this past Friday, on Friday, February 2nd.

David Moulton: How did the directive from CISA influence the response strategies of nongovernmental organizations and the broader cybersecurity community?

Sam Rubin: Sure. So I think the first point here is that this type of directive, this type of action from CISA, is not common. It really highlights the severity of the situation and the perspective that they have that they don't feel comfortable that this is under control and that they're sort of issuing a mandate here to all federal agencies, you need to take action, and that action is to get this software off of your network so you're not using it. It's an unusual step, and I think it really brings to the attention of IT and security administrators nationwide, certainly and potentially globally, that they should probably be doing the same, or at least seriously considering it.

David Moulton: Ingrid, can you explain the nature and potential impact of the newly disclosed vulnerabilities from Ivanti Connect Secure and Policy Secure products, and why they're considered so high risk?

Ingrid Parker: Absolutely. Thanks for having us on, David. So when you look at these vulnerabilities, you really want to focus on the first two that came out. Those work in tandem with each other. And there you're looking at an authentication bypass vulnerability and a command injection vulnerability. And the combination of those actually allows attackers without authentication to run arbitrary commands on a compromised system. So that basically gives that malicious actor access to do whatever they want to on a system. At that point, Ivanti put a set of mitigations and was starting to work on patches in place. However, these two new vulnerabilities put those same systems back at risk again. So even if you were taking care of what happened with the first two vulnerabilities, you are now having that same issue. And in this case, it's very similar. They're different types technically. One's a privilege escalation vulnerability. One's a server-side request forgery vulnerability. These allow hackers to establish persistent system access, including full compromise of your target information systems. And when that happens, that means an actor not only can act on the system that they've gotten access to but they can move laterally within your environment. They can perform data exfiltration. They can take a lot of other actions that go beyond just compromising that single system. And so it's this combination plus the buildup of having multiples of these that is really putting users at risk and needing to take action in order to mitigate these vulnerabilities.

David Moulton: Given that the proof of concept code for these vulnerabilities has been publicly released and we're seeing active exploitation of these vulnerabilities, what immediate step should organizations take to mitigate the risk of exploitation, especially as the patches are still being made available?

Ingrid Parker: Number one is go to the Ivanti site, read their documentation, understand the options that are available to you. Whether that's a mitigation option, whether that's a patching option, figure out what you can actually do in this space assuming that you are at risk. And consider some of the guidance that CISA has put out, especially when it comes to things like actually disconnecting your system; figuring out, you know, what you need to do for additional monitoring. Ivanti itself is actually recommending as a best practice that all customers factory reset their appliance before they apply the patch to prevent the threat actor from gaining upgraded persistence. And so it's really important that you go through, read this set of documentation, understand what's out there and the order that you want to do things in order to make sure that you're going to put yourself in a great protection point. And from there, you need to continue to hunt for potential activity, knowing that these vulnerabilities were in place before patches and mitigations came out. And as I mentioned before, an actor to move laterally, they can be in other parts of your system. So even as you're patching the Ivanti applications, you want to go ahead and be looking for other types of activity that are going on. And so making sure that you're doing the immediate triage for today but also looking for things that might've happened beyond just that particular appliance is going to be really important.

David Moulton: Sam, how do the tactics, techniques, and procedures observed in the exploitation of these vulnerabilities compare with those of past cybersecurity incidents, particularly those attributed to nation-state actors or APT groups?

Sam Rubin: So with respect to exploitation of the vulnerabilities, our perspective here comes from two fronts. One from Palo Alto Network's expanse technology where we have the ability to globally scan instances of the software. And in some instances, we can see post-exploitation activity, specifically web shells. There's a web shell that's part of the first wave of this attack before it was really published, you know, in early January, or disclosed. And that's a web shell that we see called "gifted visitor." And as part of that, we can see from an HTTP post-response that sends a successful connection back to that web shell that the endpoint, the application, has been compromised. This activity is consistent with activity we've seen from nation-state threat actors in the past, specifically suspected Chinese APT. In addition to that, we have perspective here from the Unit 42 incident response engagements that we're working on and we have a number of those ongoing. Across that, we're seeing other instances of dropping of web shells on the appliance itself. We're seeing examples of connecting to the compromised VPN from multiple generic windows host names, things designed to avoid detection. We're seeing that after getting that connection to the VPN, the threat actor's moving laterally through the network using a number of different commands and remote control applications like Remote Desktop. We're seeing various campaigns, some of them leading to ransomware, others to crypto mining. But I think across all this it's important to remember that there's sort of three waves here. The first one was really before the proof of code was published before January 10th. And this activity we do think and assess is attributed more to this nation-state activity. The second wave here where we start to see mass exploitation and scanning is after there was a blog post and some publishing about this vulnerability. And this wave's marked by a shift to more targeted text, some more targeted text to more mass exploitation. And the third wave, which starts, you know, on or around January 16th, is when there was a proof of code published and made publicly available. And this is when we really see the financially motivated groups getting engaged, attempting to use this as their intrusion vector, before organizations have had an opportunity to patch or control it. And these are the attacks leading to things like ransomware and crypto mining. So really multiple waves here, and absolutely some of it attributable to APT, others more to financially motivated actors.

David Moulton: Ingrid, Ivanti has reported targeted exploitation of the CDEs. How should organizations interpret and act upon such targeted threats, especially when they are part of a sector known to be of interest to nation-state actors?

Ingrid Parker: When thinking about being targeted, I think one of the most important things is to recognize the vulnerabilities, because it now has been around for a few weeks, and there is proof of code out there. You'll actually want to understand where in your timeline you fall to make sure that you are assessing the risk towards you and the likelihood that this is actually targeted activity versus opportunistic activity, so that you can characterize it correctly for your SOC teams and for your leadership. And that means recognizing that if you were one of those groups that was targeted in December, it probably was something where that adversary was uniquely interested in your organization. However, if you're an organization that is seeing attacks against you right now, it is entirely possible, since that proof of code is out there, since we know that there are multiple actor groups using and exploiting these vulnerabilities, that it is just something that is happening as part of the wider activity across the world. And so really understand your timeline and then take that step back and say, okay, especially if you're targeted and you know that you've been targeted, but even if you're not sure if you've been targeted and you're in one of these critical sector organizations, we keep hitting on this, this is something that you need to act upon now. This is, you need to go in, read that CISA directive, understand what Ivanti has put out, go in and be incredibly proactive in actually figuring out what you need to do for mitigations, figuring out what you need to do for patching, determine if you're able to go ahead and, you know, disconnect or, you know, how you're going to actually put these patches into place, and make sure that you do that as quickly as possible. Then you need to step back and say, okay, yes, I've dealt with what's happening right now. But if you're talking about these advanced actor groups, the ones that are targeting us, they are trying to do more than just get in and, you know, steal a set of credentials or work on a single system. They're moving laterally. They are creating persistence. They're looking to, you know, be there for the long haul. And so you really need to continue monitoring your environments, looking at your identity services, and making sure that you're looking for additional things that could've happened beyond just the exploitation of this vulnerability. And we always like to recommend, this is a great time to go in and look at your instance plan, make sure that it is going to be up-to-date and addresses what's happening in this space. And then as you are finding things or not finding things, share that within your community. Help others to understand, especially within critical infrastructure organizations, what are you seeing, what can you provide, how can you help others. Because when we're talking about these targeted opportunities, there are often unique indicators that you want to share with that community to ensure that others are able to find things that are a little bit more low and slow versus the things that are the big bang that are coming across once vulnerabilities gets as widespread as it is right now.

David Moulton: With over 20,000 exposed instances of Ivanti Connect Secure and Policy Secure products observed globally, what are the broader implications for cybersecurity posture and the potential for widespread exploitation by threat actors?

Ingrid Parker: What I'd like to emphasize here is, you know, we as a community are talking about this right now. The CISA director just came out. Everybody, you know, podcasts and publishing, and there's a lot of interest. But a few weeks from now, this is still actually going to be there, you know, as something that the cyber actor, you know, community is still acting on. You know, they're going to put, you know, exploitation of this vulnerability into their exploit kits. It's still going to be something that, you know, often a lot of the smaller organizations or those that may not have as robust a security team take a little bit longer in order to put their mitigations into place or put their patching into place. And so what I would encourage everybody to remember is, just because we may move onto the next topic that we're talking about, things like this linger on and have a long, long tail to them. So if you are somebody who is not able to actually take some actions right now, just because you may not see as many reports on this over, you know, the next few weeks as this starts to become more actively addressed, you still need to be very actively monitoring your organization, knowing that this is not going away. You know, other types of vulnerabilities, it will be years later that you are still seeing actor groups that go ahead and try and put these into play in their TTPs (in their tactic techniques and procedures). So very much something that is likely to be with us for a long, long time.

David Moulton: Sam, considering the ongoing evolution of this threat landscape, what are some of the best practices for organizations to not only address the current vulnerabilities but also to prepare for and mitigate future cybersecurity threats?

Sam Rubin: Yeah, David, I think there's some really great lessons learned here not only for organizations that have the Ivanti vulnerabilities and are struggling with it but for all of us as defenders, as cybersecurity professionals, about what we could be doing better or differently to protect our organizations. And I would make two big points here. The first is around visibility to your external attack surface. You know, in the IR work that we're doing, in proactive advisory work, you know, a really common theme is that organizations have a really hard time understanding not only their physical assets but their software as well when it comes to, you know, their cloud estate, disparate branch offices, and just shadow IT, the exposures that they have from their IT inventory. So that is certainly a key lesson here, is take steps now proactively to get your arms around your externally facing attack surface. That way when something happens, you are aware of it, you know about the vulnerability, you know where you're exposed, and you can make corrective action quickly. The second point here is, it really underscores and reminds us of something that we all know as cybersecurity professionals, it's defense in depth. It's that assumed breach mentality and that you have steps in place. So even when you have something like this happen, because it will -- this was certainly not the first vulnerability and it won't be the last. You know, there will be another one, you know, maybe another VPN concentrator, maybe another, you know, filesharing application like we saw recently with a lot of other applications. So assume that something is going to happen. Do you have that layered defense to be able to prevent it from escalating into something broad where you have to call in the third-party IRT? So that comes down to things like the prevention strategies you have, hardening the endpoints to avoid things like privilege escalation, segmentation to keep an incident contained. It comes down to the detection capability you have, where you're aggregating telemetry from across your estate and your different products into one place, and that you've got the right detection logic and automation in place so you can handle and understand what you're seeing at your perimeter, or as things happen inside your network, that you're not overwhelming the SOC, and that you're tracking things like authentication, you know, that you're tracking things like privilege escalation on endpoints. And then lastly, it's that response capability. When things do escalate, do you have the capability with your team, with your toolsets, and with your partners, if need be, to respond quickly to contain a threat before it escalates? So those are the two lessons, David. It's really that visibility and it's that defense-in-depth strategy.

David Moulton: Sam, talk to me about what Palo Alto Networks is doing to help.

Sam Rubin: Yeah, so Palto Alto Networks, we're in a really fortunate position as being one of the world's largest cybersecurity companies. And really, aligned with our mission here, we want to be there to be the security provider of choice. And we are in a position to help. And so I mentioned earlier, the Unit 42 team is doing a ton on the threat intelligence side. Ingrid and the team have published some great research on their blog. We continue to do that. We continue to partner with law enforcement, intelligence community, and other private sector organizations to get our arms around what the threat actors are doing, what the TTPs are. On the consenting side, we're doing a lot of instant response investigations to help organizations. We're doing compromise assessments, where we're proactively hunting for IOCs and TTPs related to a vulnerability exploitation. And then on top of all of this, Palo Alto Networks has just come out with a no-cost and no-obligation bundle to help organizations get their arms around it. And what that includes is two things. Number one, there is a Unit 42 attack surface assessment where our team will help you identify any exposure related to the Ivanti vulnerability, help you locate at-risk application servers within the environment, and provide a detailed assessment report with tailored recommendations to help you mitigate those risks. The second piece of this is that it includes a 90-day license to Prisma Access. So any organization that needs VPN replacement, they can deploy our Prisma Access for cloud delivered zero trust capability and that's at no cost for 90 days.

David Moulton: Sam, can you talk to me about what's driving this no-obligation, no-cost bundle from Palo Alto Networks?

Sam Rubin: Yeah, you know, it's really aligned with our mission as a company. Our mission at Palo Alto Networks is to be the security partner of choice. And this is a way that we can do that. It's also aligned with the vision we have as an organization. Our vision is a world where each day is safer and more secure than the one before. You know, the way I think about these things is really, fundamentally, it comes down to being there to help and to protect our clients.

David Moulton: Ingrid, what's the most important thing a listener should remember from this conversation?

Ingrid Parker: I think the most important thing to understand right now is that these Ivanti vulnerabilities are being actively exploited by a wide variety of threat actors, so you really need to take action now. This is not something that is an area where you can really wait. That can include either deploying the mitigations if a patch is not yet available for your version of the product, or going ahead and following Ivanti's guidance for doing a factory reset and removing the product. And then once you go ahead and do that immediate triage, you want to go ahead and continue to monitor and take a look at the possibility that actors may have moved beyond that original product and may be in other parts of your network. So it's important to look at working with your security operations team, monitoring your identity systems, and making sure that you have completely isolated any kind of risk that you might have in your environment.

David Moulton: How about you, Sam, what's the most important thing you think a listener should remember from this conversation?

Sam Rubin: You need to take action now to make sure that your organization is safe. These vulnerabilities are being actively exploited. And even if you do not have the Ivanti application in your environment, are you assessing your attack surface to make sure it's not out there? Additionally, let's use this as an opportunity to remind ourselves of how we would react, how we would respond, if this was an application that was core to how users are remotely accessing our organization. Let's use this as an opportunity to make sure that we understand our attack surface. Let's make sure it's an opportunity to make sure we have the right prevention, detection, and response strategies and capabilities in place.

David Moulton: Ingrid and Sam, thanks for joining me today on Threat Vector to talk about this developing situation. For the latest insights and research on the Ivanti vulnerabilities, visit the Unit 42 Threat Research Center. A link to the threat brief on the Ivanti vulnerabilities is linked in the Show Notes. If you believe that you are at risk because of an Ivanti vulnerability, Palo Alto Networks is offering a no-cost, no-obligation emergency bundle for your organization. You can find the details on our website, and we will provide a direct link in our Show Notes. If you think that you may be under attack, contact the experts at Unit 42 to help assess your risk and exposure. We'll be back in two weeks. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]