CISA is now warning government agencies to immediately fix Ivanti errors
The US Cybersecurity and Infrastructure Security Agency (CISA) is warning government agencies to immediately patch newly discovered Ivanti flaws as they are being used in the wild to compromise vulnerable endpoints.
CISA’s alert alerts Federal Civilian Executive Branch (FCEB) agencies to two flaws: CVE-2023-46805 (Authentication Bypass) and CVE-2024-21887 (Code Injection).
The vulnerabilities were found in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) and allow threat actors to execute arbitrary commands on the endpoints.
Thousands of victims
Since January 11 this year, a “strong increase” in the number of attacks has been observed, CISA warned. However, government agencies do not appear to be exclusive targets, as researchers have observed organizations being targeted indiscriminately. Small businesses as well as some of the world’s largest organizations, operating in a variety of sectors including aerospace, banking, defense and government, have all fallen prey so far.
“Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, conduct data exfiltration, and establish persistent system access, resulting in a complete compromise of the target information systems,” the agency said.
Ivanti has yet to release a patch for the flaws, it was said. In the meantime, it released mitigation measures, including importing an XML file into the affected products, which required necessary reconfigurations.
Additionally, CISA said companies should first use an External Integrity Checker Tool to see if their endpoints have been compromised. If signs of foul play are found, the devices should be disconnected, reset, and the XML file introduced. Also, FCEB agencies must revoke and reissue certificates, reset administrative credentials, store API keys, and reset local user passwords.
The zero-days were first spotted by a Chinese state-sponsored threat actor in December last year, tracked as UTA0178. Since then, the group has successfully breached more than 2,000 devices around the world, taking advantage to install passive backdoors and deploy web shells.
Through The HackerNews