Thursday, June 13, 2024

Hackers Actively Exploited 2 Ivanti Zero-Day to Execute Arbitrary Commands

Invati Connect Secure (ICS) and Ivanti Policy Secure Gateways have been discovered with two new vulnerabilities associated with authentication bypass and command injection.

The CVEs for these vulnerabilities have been assigned as CVE-2023-46805 and CVE-2024-21887. The severity of these vulnerabilities has been given as 8.2 (High) and 9.1 (Critical), respectively.

However, Ivanti has released a security advisory to address these vulnerabilities along with the patched version of the products.

It was also mentioned that Ivanti neurons for ZTA gateways cannot be exploited in production. UTA0178 actively exploited these vulnerabilities.

Exploitation in the Wild

According to the reports shared with Cyber Security News, a threat actor actively exploited these two vulnerabilities to steal configuration data, download remote files, and create a reverse tunnel from the ICS VPN appliance.

Moreover, the threat actor made several changes to the system to evade the ICS integrity checker tool. 

In addition, the threat actor backdoored a legitimate CGI file on the ICS VPN appliance to enable command execution over the compromised system.

The attacker also modified the Web SSL VPN JavaScript file to keylog and extract users’ login credentials.

Document
Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Courses of the Incident

A curl command was for outbound connections to an IP Geolocation service through ip-api[.]com to Cloudflare’s 1.1.1.1 IP address. Additionally, reverse SOCKS proxy and SSH connections were established and downloaded from compromised Cyberoam appliances. 

Lateral movements were also noticed through compromised credentials to connect to internal systems through RDP, SMB, and SSH. Furthermore, there was also the transfer of multiple webshell variants, termed as “GLASSTOKEN”, to Internet-accessible web servers and systems that were only internally accessible.

The attacker created and executed several files from the system’s /tmp/ directory, which were no longer on disk at the time of analysis. A list of the following paths was excluded on the list of Integrity Checker Tool,

  • /tmp/rev
  • /tmp/s.py
  • /tmp/s.jar
  • /tmp/b
  • /tmp/kill

During the course of the incident, Volexity distributed a few malicious files and tools, the most of which comprised of webshells, proxy utilities, and file alterations that allowed credential harvesting. This was despite the fact that Volexity observed the attacker practically living off the land for the most part.

  • In numerous instances, the attacker used compromising credentials to enter onto workstations and servers and dump LSASS process memory to disk via Task Manager.
  • The attacker extracted further credentials offline by exfiltrating this output.
  • The attacker accessed a system with Virtual Hard Disk backups, including a domain controller backup. After mounting this virtual hard disk, they extracted the Active Directory database ntds.dit file and compressed it using 7-Zip.
  • The attacker found a running Veeam backup software instance and used a GitHub script to steal passwords.
  • As said, the attacker updated JavaScript on the ICS VPN Appliance’s Web SSL VPN login page to steal credentials.

A complete report about this incident has been published, providing detailed information about the threat actor’s activities, webshell information, and others.

ValueEntity_typeDescription
206.189.208.156ipaddressDigitalOcean IP address tied to UTA0178
gpoaccess[.]comhostnameSuspected UTA0178 domain discovered via domain registration patterns
webb-institute[.]comhostnameSuspected UTA0178 domain discovered via domain registration patterns
symantke[.]comhostnameUTA0178 domain used to collect credentials from compromised devices
75.145.243.85ipaddressUTA0178 IP address observed interacting with compromised device
47.207.9.89ipaddressUTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network
98.160.48.170ipaddressUTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network
173.220.106.166ipaddressUTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network
73.128.178.221ipaddressUTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network
50.243.177.161ipaddressUTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network
50.213.208.89ipaddressUTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network
64.24.179.210ipaddressUTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network
75.145.224.109ipaddressUTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network
50.215.39.49ipaddressUTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network
71.127.149.194ipaddressUTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network
173.53.43.7ipaddressUTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network

Looking for cost-effective penetration testing services? Try Kelltron’s to assess and evaluate the security posture of digital systems – 

Website

Latest articles

Ivanti EPM SQL Injection Flaw Let Attackers Execute Remote Code

In May 24, 2024, Zero-Day Initiative released a security advisory for Ivanti EPM which...

CISA Warns of Scammers Impersonating as CISA Employees

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a surge...

Microsoft Windows Ntqueryinformationtoken Flaw Let Attackers Escalate Privileges

Microsoft has disclosed a critical vulnerability identified as CVE-2024-30088.With a CVSS score of 8.8, this flaw affects Microsoft...

256,000+ Publicly Exposed Windows Servers Vulnerable to MSMQ RCE Flaw

Cybersecurity watchdog Shadowserver has identified 256,000+ publicly exposed servers vulnerable to a critical Remote...

Indian National Jailed For Hacked Servers Of Company That Fired Him

An Indian national was sentenced to two years and eight months in jail for...

JetBrains Warns of GitHub Plugin that Exposes Access Tokens

A critical vulnerability (CVE-2024-37051) in the JetBrains GitHub plugin for IntelliJ-based IDEs (2023.1 and...

Critical Flaw In Apple Ecosystems Let Attackers Gain Unauthorized Access

Hackers go for Apple due to its massive user base along with rich customers,...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles