CISA Issues Emergency Directive to Federal Agencies

Ivanti Zero-Day Exploits: CISA Issues Emergency Directive to Federal Agencies

NewsroomNetwork Security / Threat Intelligence Jan 20, 2024

The Federal Civilian Executive Branch (FCEB ) agencies were urged to implement mitigations against two actively exploited zero-day flaws in the Ivanti Connect Secure ( ICS) and IIPT ( IPS) products in an emergency directive issued by the U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) on Friday.

The change was made following the widespread exploitation of vulnerabilities by numerous threat actors, including an authentication bypass ( CVE- 2023-46805 ) and a code injectionbug. The vulnerabilities give a malicious actor access to the system to create malicious requests and carry out arbitrary commands.

After the flaws were made public, the U.S. company acknowledged in an advisory that it had seen a” sharp increase in threat actor activity” beginning on January 11, 2024.

A malicious threat actor can move laterally, perform data exfiltration, and establish persistent system access, fully compromise target information systems, according to the agency,” by successfully exploiting the vulnerabilities in these affected products.”

Ivanti has made a temporary workaround available through an XML file that can be imported into affected products to make necessary configuration changes. The company is scheduled to release an update to address the flaws next week.

Organizations running ICS are being urged by CISA to use the mitigation and run an External Integrity Checker Tool to look for signs of compromise, disconnect them from the networks, reset the device, and then import the XML file.

Additionally, FCEB entities are urged to delete and reissue any stored certificates, change the admin enable password, store API keys, and change any local user’s gateway-defined passwords.

Attacks using the twin flaws to deploy web shells and passive backdoors for ongoing access to compromised appliances have been seen by cybersecurity companies Volexity and Mandiant. According to estimates, as many as 2, 100 devices have been compromised to date.

A Chinese nation-state group known as UTA0178 has been identified as the source of the initial attack wave that was discovered in December 2023. Despite the fact that the activity has not been connected to any particular group or nation, Mandadt is monitoring it under the moniker UNC5221.

According to threat intelligence company Grey Noise, it has also seen how vulnerabilities are being used to deactivate XMRig cryptocurrency miners and persistent backdoors, indicating opportunistic exploitation by bad actors for financial gain.