Ivanti Connect Secure and Policy Secure Attack

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.

Jan 10, 2024: Ivanti disclosed two new vulnerabilities in their ICS and Ivanti Policy Secure gateways: CVE-2023-46805 and CVE-2024-21887.
https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways

Jan 18, 2024: FortiGuard Labs released a Threat Signal on Ivanti Connect Secure and Policy Secure Gateways Zero-day Vulnerabilities (CVE-2023-46805 and CVE-2024-21887)
https://www.fortiguard.com/threat-signal-report/5371/

Jan 19, 2024: CISA Issues Emergency Directive to Federal Agencies on Ivanti Zero-Day Exploits. This Directive requires agencies to implement Ivanti’s published mitigation immediately to the affected products in order to prevent future exploitation
https://www.cisa.gov/news-events/directives/ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure-vulnerabilities

Jan 22, 2024: FortiGuard Labs has released IPS signatures to detect and block Authentication Bypass (CVE-2023-46805) and Server-Side Request Forgery Vulnerability (CVE-2024-21893) is observing high IPS activity since the release of the signatures.

Jan 22, 2024: Ivanti plans to begin releasing patches addressing these vulnerabilities on a schedule. Until patches are available, Ivanti has provided a workaround for the users to mitigate exploitation risks
https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways

Feb 01, 2024: Ivanti identified additional vulnerabilities in ICS and Ivanti Policy Secure, and Ivanti Neurons for ZTA. CVE-2024-21888 allows for privilege escalation and CVE-2024-21893 is a server-side request forgery in the SAML component which allows a threat actor to access certain restricted resources without authentication. Vendor mentions in the advisory that CVE-2024-21893 appears to be seen in some targeted attacks and expects an increase in the attacks. CVE-2024-21893 has also been added to CISA's known exploited vulnerability catalog (KEV).

Feb 9, 2024: Ivanti disclosed a fifth vulnerability- CVE-2024-22024 (XXE) for ICS and Ivanti Policy Secure.
https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US

Feb 13, 2024: A new report by Orange Cyberdefense shows attackers using CVE-2024-21893 to install a new backdoor named DSLog.
https://www.orangecyberdefense.com/fileadmin/general/pdf/Ivanti_Connect_Secure_-_Journey_to_the_core_of_the_DSLog_backdoor.pdf

Please note, this is an ongoing investigation and as the situation is evolving, FortiGuard Labs will update and add new protections accordingly.

Feb 29, 2024: CISA released a Cybersecurity Advisory on Threat Actors Exploiting Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b