Share this article on:
Both Ivanti Connect Secure and Ivanti Policy Secure gateways have been observed being actively exploited.
Researchers from Rapid7 and security firm Volexity are warning of active exploitation of a pair of vulnerabilities in Ivanti gateways.
Ivanti flagged the vulnerabilities on 11 January, pointing out that they were being exploited and providing a patching pathway. On the same day, the Australian Cyber Security Centre listed one vulnerability as critical, though both flaws – one in the Ivanti Connect Secure gateway and the other in Ivanti Policy Secure gateway – are being taken advantage of.
The number of affected devices varies, but according to Rapid7, a Shodan scan for just the public-facing devices shows at least 7,000 machines, while scanning for the Ivanti welcome pages doubles that figure – while also reducing accuracy somewhat.
Regardless, it’s a significant figure. As to how threat actors are taking advantage of the flaws, Volexity has the goods.
“Volexity observed the attacker modifying legitimate ICS components and making changes to the system to evade the ICS Integrity Checker Tool,” the company’s researchers said in a blog post.
“Notably, Volexity observed the attacker backdooring a legitimate CGI file (compcheck.cgi) on the ICS VPN appliance to allow command execution. Further, the attacker also modified a JavaScript file used by the Web SSL VPN component of the device in order to keylog and exfiltrate credentials for users logging into it. The information and credentials collected by the attacker allowed them to pivot to a handful of systems internally, and ultimately gain unfettered access to systems on the network.”
The two vulnerabilities are:
“Rapid7 urges customers who use Ivanti Connect Secure or Policy Secure in their environments to take immediate steps to apply the workaround and look for indicators of compromise,” Rapid7 said in a blog post of its own.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.