• Language chooser
    • USA (English)
    • France (Français)

Ivanti Connect Secure and Policy Secure Attack

Released: Jan 23, 2024

Updated: Feb 29, 2024


Critical Severity

Vulnerability, Attack Type


Zero-day vulnerabilities actively exploited

Widespread exploitation of zero-day vulnerabilities affecting Ivanti Connect Secure and Policy Secure gateways underway. Learn More »

Background

CVE-2023-46805 Is an Authentication ByPass Vulnerability found in the web component of Ivanti Connect Secure (ICS) and Ivanti Policy Secure to allow a remote attacker to access restricted resources by bypassing control checks. CVE-2024-21887 is a command injection vulnerability in web components of ICS and Ivanti Policy Secure. If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


Jan 10, 2024: Ivanti disclosed two new vulnerabilities in their ICS and Ivanti Policy Secure gateways: CVE-2023-46805 and CVE-2024-21887.
https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways


Jan 18, 2024: FortiGuard Labs released a Threat Signal on Ivanti Connect Secure and Policy Secure Gateways Zero-day Vulnerabilities (CVE-2023-46805 and CVE-2024-21887)
https://www.fortiguard.com/threat-signal-report/5371/

Jan 19, 2024: CISA Issues Emergency Directive to Federal Agencies on Ivanti Zero-Day Exploits. This Directive requires agencies to implement Ivanti’s published mitigation immediately to the affected products in order to prevent future exploitation
https://www.cisa.gov/news-events/directives/ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure-vulnerabilities

Jan 22, 2024: FortiGuard Labs has released IPS signatures to detect and block Authentication Bypass (CVE-2023-46805) and Server-Side Request Forgery Vulnerability (CVE-2024-21893) is observing high IPS activity since the release of the signatures.

Jan 22, 2024: Ivanti plans to begin releasing patches addressing these vulnerabilities on a schedule. Until patches are available, Ivanti has provided a workaround for the users to mitigate exploitation risks
https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways

Feb 01, 2024: Ivanti identified additional vulnerabilities in ICS and Ivanti Policy Secure, and Ivanti Neurons for ZTA. CVE-2024-21888 allows for privilege escalation and CVE-2024-21893 is a server-side request forgery in the SAML component which allows a threat actor to access certain restricted resources without authentication. Vendor mentions in the advisory that CVE-2024-21893 appears to be seen in some targeted attacks and expects an increase in the attacks. CVE-2024-21893 has also been added to CISA's known exploited vulnerability catalog (KEV).

Feb 9, 2024: Ivanti disclosed a fifth vulnerability- CVE-2024-22024 (XXE) for ICS and Ivanti Policy Secure.
https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US

Feb 13, 2024: A new report by Orange Cyberdefense shows attackers using CVE-2024-21893 to install a new backdoor named DSLog.
https://www.orangecyberdefense.com/fileadmin/general/pdf/Ivanti_Connect_Secure_-_Journey_to_the_core_of_the_DSLog_backdoor.pdf

Please note, this is an ongoing investigation and as the situation is evolving, FortiGuard Labs will update and add new protections accordingly.

Feb 29, 2024: CISA released a Cybersecurity Advisory on Threat Actors Exploiting Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b



FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT
  • Lure

  • Decoy VM

  • AV

  • AV (Pre-filter)

  • IPS

  • Web App Security

DETECT
  • IOC

  • Outbreak Detection

  • Threat Hunting

  • Playbook

RESPOND
  • Assisted Response Services

  • Automated Response

RECOVER
  • NOC/SOC Training

  • End-User Training

IDENTIFY
  • Attack Surface Hardening

  • Business Reputation

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
oast.me domain Active
115.236.5.58 ip Active
interact.sh domain Active
dnslog.cn domain Active
1433.eu.org domain Active
fernandestechnical.com domain Active
185.212.61.84 ip Active
185.156.72.51 ip Active
138.68.61.82 ip Active
146.19.191.85 ip Active
138.199.22.142 ip Active
23.129.64.212 ip Active
45.61.136.14 ip Active
d3fbae7eb3d38159913c7e9f4c627149df1882b57998c8a... file Active
dev-clientservice.com domain Active
185.243.41.201 ip Active
159.203.33.199 ip Active
oast.live domain Active
oast.online domain Active
oast.fun domain Active
oast.pro domain Active
oast.site domain Active
193.47.61.75 ip Active
170.64.149.53 ip Active
20.228.211.183 ip Active
https://biondocenere.com/pub/crl.dat url Active
23190d722ba3fe97d859bd9b086ff33a14ae9aecfc8a2c3... file Active
85.208.139.73 ip Active
85.208.139.73:80 ip Active
45.66.230.32 ip Active
103.95.196.149 ip Active
45.66.230.32:80 ip Active
87.120.88.13 ip Active
87.120.88.13:80 ip Active
103.110.33.164 ip Active
103.110.33.164:80 ip Active
http://103.110.33.164/mips url Active
146.19.191.108 ip Active
193.31.28.13 ip Active
193.31.28.13:80 ip Active
37.19.207.89 ip Active
146.19.191.108:80 ip Active
103.212.81.116 ip Active
103.212.81.116:80 ip Active
176.97.210.211 ip Active
176.97.210.211:80 ip Active
103.228.126.17 ip Active
103.228.126.17:80 ip Active
49062378ab3e4a0d78c6db662efb4dbc680808fb75834b4... file Active
f93e9bc9583058d82d2d3fe35117cbb9a553d54e7149846... file Active
145.40.126.81 ip Active
57.128.141.133 ip Active
103.131.57.59 ip Active
103.131.57.59:80 ip Active
45.152.66.151 ip Active
161.35.172.122 ip Active
165.154.227.192 ip Active
99.245.96.12 ip Active
91.92.254.14 ip Active
111.90.143.184 ip Active
137.175.19.209 ip Active
91.92.244.59 ip Active
146.70.116.185 ip Active
159.89.82.235 ip Active
bc7c7280855c384e5a970a2895363bd5c8db9088977d129... file Active
173.220.106.166 ip Active
173.53.43.7 ip Active
206.189.208.156 ip Active
47.207.9.89 ip Active
50.213.208.89 ip Active
50.215.39.49 ip Active
50.243.177.161 ip Active
64.24.179.210 ip Active
73.128.178.221 ip Active
75.145.224.109 ip Active
75.145.243.85 ip Active
98.160.48.170 ip Active
103.245.236.188 ip Active
103.245.236.188:80 ip Active
http://103.245.236.188/skyljne.mips url Active
71.127.149.194 ip Active
gpoaccess.com domain Active
https://symantke.com/ url Active
symantke.com domain Active
webb-institute.com domain Active
dslogconfig.pm domain Active
sessionserver.pl domain Active
sessionserver.sh domain Active
38.60.200.88 ip Active
3d97f55a03ceb4f71671aa2ecf5b24e9 file Active
677c1aa6e2503b56fe13e1568a814754 file Active
6de651357a15efd01db4e658249d4981 file Active
d0c7a334a4d9dcd3c6335ae13bee59ea file Active
030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2... file Active
39ead6055306739ab969a3531bde2050f556b05e500894b... file Active
45c9578bbceb2ce2b0f10133d2f3f708e78c8b7eb3c52ad... file Active
47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e... file Active
4cba272d83f6ff353eb05e117a1057699200a996d483ca5... file Active
6f684f3a8841d5665d083dcf62e67b19e141d845f6c13ee... file Active
73657c062a7cc50a3d51853ec4df904bcb291fdc9cdd08e... file Active
Indicators of compromise Indicators of compromise
IOC Threat Activity

Last 30 days

Chg

Avg 0