State-sponsored threat actors have exploited two zero-day vulnerabilities, collectively dubbed “ConnectAround,” in Ivanti’s Policy Secure and Connect Secure gateways just a day after they were publicly disclosed.
After successfully exploiting ConnectAround, threat actors have been able to gain initial access, deploy web shells and backdoors, capture credentials and configuration data, and spread further into the victim’s network.
Researchers have identified the deployment of at least five different malware families as a result of ConnectAround exploitation, including the Lightwire and Wirefire web shells, Warpwire credential stealer, ThinSpool dropper, and Zipline backdoor.
In addition to malware, researchers have also observed threat actors injecting malicious code and the use of tools like BusyBox and PySoxy to enable persistent access.
Despite ConnectAround being publicly disclosed on January 11, 2024, researchers have observed state-sponsored threat actors exploiting the flaw as early as December 2023. Ivanti says fewer than 10 customers have been compromised, suggesting a highly targeted campaign.
Source: The Hacker News
Analysis
Given threat actors’ interest in compromising edge devices and gateways, it’s not surprising they have quickly capitalized on ConnectAround to compromise networks of interest and may have been doing so long before the vulnerability was disclosed.
The extent of the campaign will likely increase well past the approximate 10 victims as announced by Ivanti as additional threat actors develop and deploy their own exploits.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in appliances like Ivanti Connect Secure and Policy Secure. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software and devices are detected in their environment and are encouraged to review these AROs as quickly as possible.
Field Effect strongly encourages users of Ivanti Connect Secure and Policy Secure to download and configure the mitigation file as soon as possible via Ivanti’s download portal and to install the patch once it is available.
Related articles
