The Integrity Checker Tool ( ICT) can be deceived into providing a false sense of security, according to a new cybersecurity advisory from the Five Eyes ( FVEY ) intelligence alliance.
According to the organizations,” Ivanti ICT is insufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite performing factory resets.”
Since January 10, 2024, Ivanti has identified five security flaws that have affected its products, four of which have been exploited by multiple threat actors to install malware.
- CVE- 2023- 46805 ( CVSS score: 8.2 )- Authentication bypass vulnerability in a web component
- CVE- 2024- 21887 ( CVSS score: 9 )- Web component vulnerability for command injection
- CVE- 2024- 21888 ( CVSS score: 8.8 )- Privilege escalation vulnerability in web component
- CVE- 2024- 21893 ( CVSS score: 8.2 )- SSRF vulnerability in the SAML component
- CVE- 2024- 22024 ( CVSS score: 8 )- XXE vulnerability in the SAML component
In /data/runtime/cockpit/diskAnalysis, Mandiant described how an encrypted version of a malware known as BUSHWALK is placed in a directory that ICTs have blocked.
The tool prevents a dozen directories from being scanned, which allows an attacker to leave behind backdoors in one of these paths and still pass the integrity check, according to a statement released by Eclypsium this month.
According to organizations in Australia, Canada, New Zealand, the U.K., and the U.S.,” the safest course of action for network defenders is to assume a sophisticated threat actor may deploy rootkit level persistence on a device that has been reset and lay dormant for an arbitrary amount of time.”
Additionally, they urged businesses to” consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when deciding whether to continue operating these devices in an enterprise environment.”
In response to the advisory, Ivanti claimed to be aware of no instances of successful threat actor persistence following the use of factory resets and security updates. A new version of ICT, which it said “provides additional visibility into a customer’s appliance and all files that are present on the system,” is also available.