CVE-2023-46805 and CVE-2024-21887 Detection: Chinese Threat Actors Exploit Zero-Day Vulnerabilities in Invanti Connect Secure and Policy Secure Instances
- UAC-0133 (Sandworm) Attack Detection: russia-Linked Hackers Aim to Cripple the Information and Communication Systems of 20 Critical Infrastructure Organizations Across Ukraine - 23.04.2024
- Akira Ransomware Detection: Joint Cybersecurity Advisory (CSA) AA24-109A Highlights Attacks Targeting Businesses and Critical Infrastructure in North America, Europe, and Australia - 19.04.2024
- UAC-0184 Abuses Messengers and Dating Websites to Proceed with Attacks Against Ukrainian Government and Military - 18.04.2024
Table of contents:
Critical zero-day vulnerabilities impacting external-facing systems pose severe threats to multiple organizations that rely on them, exposing them to risks of RCE and system compromise, just like the active exploitation of the FortiOS SSL-VPN flaw caused havoc in January 2023. Recently, Chinese state-sponsored hacking groups have been observed exploiting two zero-day vulnerabilities tracked as CVE-2023-46805 & CVE-2024-21887 in Ivanti Connect Secure (ICS) and Policy Secure appliances. The detected flaws can be weaponized by attackers to create an exploit chain, enabling the takeover of impacted instances over the internet. Vulnerability patches are expected to roll out gradually, commencing the week of January 22, 2024.
Detect a CVE-2023-46805 and CVE-2024-21887 Potential Exploit Chain
Vulnerability exploitation remains one of the main intrusion vectors for state-sponsored actors, and over the last decade, the number of vulnerable applications has drastically increased. As of the first week of Jan ā24, security professionals revealed 600+ new security flaws, contributing to an annual total of more than 29,000 reported in 2023.Ā
To stay ahead of emerging threats and discover cyber attacks at their earliest stages of development, cyber defenders require innovative threat hunting tools alongside a reliable source of detection content. SOC Prime Platform for collective cyber defense aggregates 11K+ behavior-based Sigma rules to ensure no threat goes undetected on your watch. Hit the Explore Detections button below and drill down to the list of rules aimed at CVE-2023-46805 and CVE-2024-21887 exploit detection.
All rules are compatible with 28 SIEM, EDR, XDR, and Data Lake solutions and mapped to MITRE ATT&CK framework. Additionally, detections are enriched with detailed metadata, including CTI links, media references, triage recommendations, etc.
CVE-2023-46805 and CVE-2024-21887 Analysis
Researchers at Ivanti recently identified and raised concerns about two zero-day vulnerabilities tracked as CVE-2023-46805 and CVE-2024-21887, which are currently being actively exploited by China-linked nation-backed actors. The security bugs impact Ivanti Connect Secure (ICS) and Ivanti Policy Secure gateways. All software versions, including version 9.x and 22.x, are affected.Ā
CVE-2023-46805, with a a CVSS rating of 8.2, is an authentication bypass flaw that gives adversaries the green light to remotely access restricted materials by evading control checks. CVE-2024-21887, rated 9.1 on the CVSS scale, is a critical command injection vulnerability that enables authenticated administrators to send specific requests and execute arbitrary commands on the impacted devices. Both vulnerabilities can be chained together, enabling attackers to gain control over compromised devices.
In December 2023, Volexity researchers were the first to detect the suspicious activity involving in-the-wild exploitation of CVE-2023-46805 and CVE-2024-21887, leading to unauthenticated RCE in Ivanti Connect Secure VPN appliances. Researchers link the uncovered adversary activity to a hacking group tracked as UTA0178. The successful exploitation empowers attackers to reach configuration data, alter existing files, retrieve files remotely, and establish a reverse tunnel from the ICS VPN appliance leading to further system compromise.Ā
The ongoing attacks also involve reconnaissance, lateral movement, and the use of a custom web shell named GLASSTOKEN. The latter is deployed via a compromised CGI file, ensuring persistent remote access to public-facing web servers. Notably, suspected nation-backed adversaries deployed at least five diverse malware families in their post-exploitation activities.
Due to the growing risks of the Ivanti VPN zero-day active exploitation in the wild, CISA added the flaws to its Known Exploited Vulnerabilities Catalog and recently issued a dedicated alert to raise cybersecurity awareness.Ā
In response to the escalating risks, Ivanti published a security advisory covering the vulnerability details and potential mitigations while the patches are on their way. Meanwhile, Ivanti users are advised to implement a workaround as a precautionary measure against potential threats. Organizations leveraging ICS VPN appliances are also strongly recommended to thoroughly examine their logs, network telemetry, and the internal Integrity Checker Tool results to timely identify any indications of a successful compromise.
As Internet-exposed systems, particularly crucial devices like VPN appliances and firewalls, emerge as highly favored targets for hackers, defenders should be constantly on alert to preempt such attacks. With the ongoing in-the-wild attacks in which China-backed hackers weaponize Ivanti VPN zero-days, boosting cyber resilience is of paramount value. Defenders can rely on Uncoder AI to accelerate Detection Engineering operations at scale and streamline rule coding, IOC matching, and smooth translation of detection content into 65 language formats while automating routine tasks, saving time for security monitoring, and improving network resilience.
