Industrial Control Systems Cyber Emergency Response TeamAA24-060BThreat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.3 High
AI Score
Confidence
Low
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.973 High
EPSS
Percentile
99.9%
Actions to take today to mitigate cyber threats against Ivanti appliances:
- Limit outbound internet connections from SSL VPN appliances to restrict access to required services.
- Keep all operating systems and firmware up to date.
- Limit SSL VPN connections to unprivileged accounts.
References
attack.mitre.org/versions/v14/matrices/enterprise/
attack.mitre.org/versions/v14/tactics/TA0003/
attack.mitre.org/versions/v14/tactics/TA0006/
attack.mitre.org/versions/v14/tactics/TA0008/
attack.mitre.org/versions/v14/techniques/T1059/001/
attack.mitre.org/versions/v14/techniques/T1078/
attack.mitre.org/versions/v14/techniques/T1190/
attack.mitre.org/versions/v14/techniques/T1203/
attack.mitre.org/versions/v14/techniques/T1505/003/
attack.mitre.org/versions/v14/techniques/T1505/003/
cisa.gov/news-events/directives/ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure-vulnerabilities
forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
forums.ivanti.com/s/article/KB44755?language=en_US
github.com/cisagov/Decider/
github.com/volexity/threat-intel/blob/main/2024/2024-01-10%20Ivanti%20Connect%20Secure/indicators/iocs.csv
learn.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load?view=net-8.0
media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF
nvd.nist.gov/vuln/detail/CVE-2023-46805
nvd.nist.gov/vuln/detail/CVE-2023-46805
nvd.nist.gov/vuln/detail/CVE-2023-46805
nvd.nist.gov/vuln/detail/CVE-2024-21887
nvd.nist.gov/vuln/detail/CVE-2024-21887
nvd.nist.gov/vuln/detail/CVE-2024-21887
nvd.nist.gov/vuln/detail/CVE-2024-21888
nvd.nist.gov/vuln/detail/CVE-2024-21893
nvd.nist.gov/vuln/detail/CVE-2024-21893
nvd.nist.gov/vuln/detail/CVE-2024-21893
nvd.nist.gov/vuln/detail/CVE-2024-22024
pages.nist.gov/800-63-3/
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Threat%20Actors%20Exploit%20Multiple%20Vulnerabilities%20in%20Ivanti%20Connect%20Secure%20and%20Policy%20Secure%20Gateways+https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b
www.cisa.gov/cross-sector-cybersecurity-performance-goals
www.cisa.gov/forms/report
www.cisa.gov/forms/report
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping
www.cisa.gov/resources-tools/resources/secure-by-design-and-default
www.cisa.gov/sbom
www.cisa.gov/securebydesign
www.cyber.gc.ca/en/alerts-advisories/ivanti-connect-secure-and-ivanti-policy-secure-gateways-zero-day-vulnerabilities
www.cyber.gov.au/
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b&title=Threat%20Actors%20Exploit%20Multiple%20Vulnerabilities%20in%20Ivanti%20Connect%20Secure%20and%20Policy%20Secure%20Gateways
www.fbi.gov/contact-us/field-offices
www.fbi.gov/contact-us/field-offices
www.gov.uk/guidance/where-to-report-a-cyber-incident
www.ic3.gov/
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b
www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence
www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation
www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation
www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation
www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation
www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b
www.usa.gov/
www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/
www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/
www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/
www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/
www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Threat%20Actors%20Exploit%20Multiple%20Vulnerabilities%20in%20Ivanti%20Connect%20Secure%20and%20Policy%20Secure%20Gateways&body=www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b
Related
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.3 High
AI Score
Confidence
Low
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.973 High
EPSS
Percentile
99.9%