Invati Connect Secure (ICS) and Ivanti Policy Secure Gateways have been discovered with two new vulnerabilities associated with authentication bypass and command injection.
The CVEs for these vulnerabilities have been assigned as CVE-2023-46805 and CVE-2024-21887. The severity of these vulnerabilities has been given as 8.2 (High) and 9.1 (Critical), respectively.
However, Ivanti has released a security advisory to address these vulnerabilities along with the patched version of the products.
It was also mentioned that Ivanti neurons for ZTA gateways cannot be exploited in production. UTA0178 actively exploited these vulnerabilities.
According to the reports shared with Cyber Security News, a threat actor actively exploited these two vulnerabilities to steal configuration data, download remote files, and create a reverse tunnel from the ICS VPN appliance.
Moreover, the threat actor made several changes to the system to evade the ICS integrity checker tool.
In addition, the threat actor backdoored a legitimate CGI file on the ICS VPN appliance to enable command execution over the compromised system.
The attacker also modified the Web SSL VPN JavaScript file to keylog and extract users’ login credentials.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.
A curl command was for outbound connections to an IP Geolocation service through ip-api[.]com to Cloudflare’s 1.1.1.1 IP address. Additionally, reverse SOCKS proxy and SSH connections were established and downloaded from compromised Cyberoam appliances.
Lateral movements were also noticed through compromised credentials to connect to internal systems through RDP, SMB, and SSH. Furthermore, there was also the transfer of multiple webshell variants, termed as “GLASSTOKEN”, to Internet-accessible web servers and systems that were only internally accessible.
The attacker created and executed several files from the system’s /tmp/ directory, which were no longer on disk at the time of analysis. A list of the following paths was excluded on the list of Integrity Checker Tool,
During the course of the incident, Volexity distributed a few malicious files and tools, the most of which comprised of webshells, proxy utilities, and file alterations that allowed credential harvesting. This was despite the fact that Volexity observed the attacker practically living off the land for the most part.
A complete report about this incident has been published, providing detailed information about the threat actor’s activities, webshell information, and others.
Value | Entity_type | Description |
206.189.208.156 | ipaddress | DigitalOcean IP address tied to UTA0178 |
gpoaccess[.]com | hostname | Suspected UTA0178 domain discovered via domain registration patterns |
webb-institute[.]com | hostname | Suspected UTA0178 domain discovered via domain registration patterns |
symantke[.]com | hostname | UTA0178 domain used to collect credentials from compromised devices |
75.145.243.85 | ipaddress | UTA0178 IP address observed interacting with compromised device |
47.207.9.89 | ipaddress | UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network |
98.160.48.170 | ipaddress | UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network |
173.220.106.166 | ipaddress | UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network |
73.128.178.221 | ipaddress | UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network |
50.243.177.161 | ipaddress | UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network |
50.213.208.89 | ipaddress | UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network |
64.24.179.210 | ipaddress | UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network |
75.145.224.109 | ipaddress | UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network |
50.215.39.49 | ipaddress | UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network |
71.127.149.194 | ipaddress | UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network |
173.53.43.7 | ipaddress | UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network |
Looking for cost-effective penetration testing services? Try Kelltron’s to assess and evaluate the security posture of digital systems –
Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…
The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…
A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…
Meta has announced the removal of over 2 million accounts connected to malicious activities, including…
Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…
A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…