Brother
Professional
- Messages
- 2,590
- Reaction score
- 533
- Points
- 113
The country's state structures may be exposed to the largest leak of government data.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urgently issued a directive calling on Federal Civil Executive Branch (FCEB) agencies to take measures to mitigate the effects of two actively exploited zero-day vulnerabilities in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS).
The warning comes as two vulnerabilities — authentication bypass (CVE-2023-46805, CVSS score: 8.2) and code injection error (CVE-2024-21887, CVSS score: 9.1) — have become widely exploited by many attackers. These flaws allow an attacker to create malicious requests and execute arbitrary commands on the system.
Ivanti acknowledged that it had witnessed "a sharp increase in the activity of threat actors" starting from January 11, 2024, after the flaws were publicly disclosed. Successful exploitation of vulnerabilities allows a cybercriminal to perform lateral Movement, steal data and provide constant access to the system, which leads to complete compromise of the target information systems.
Ivanti, which is expected to release a fix update next week, has provided a temporary workaround via an XML file that can be imported into affected products to make the necessary configuration changes.
CISA encourages organizations that use ICS to apply security measures and run an external integrity check tool to detect signs of compromise, and if detected, disconnect them from networks and reboot the device, then import the XML file.
In addition, FCEB organizations are strongly encouraged to revoke and reissue any stored certificates, reset the administrator password, save API keys, and reset the passwords of any local user defined on the gateway.
Cybersecurity companies Volexity and Mandiant have observed attacks using these flaws to deploy web shells and backdoors to permanently access infected devices. It is estimated that about 2,100 devices around the world have been hacked to date.
The initial wave of attacks was recorded in December 2023. Since then, many new groups have joined the active exploitation of vulnerabilities in addition to previously suspected Chinese state hackers (UTA0178 or UNC5221).
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urgently issued a directive calling on Federal Civil Executive Branch (FCEB) agencies to take measures to mitigate the effects of two actively exploited zero-day vulnerabilities in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS).
The warning comes as two vulnerabilities — authentication bypass (CVE-2023-46805, CVSS score: 8.2) and code injection error (CVE-2024-21887, CVSS score: 9.1) — have become widely exploited by many attackers. These flaws allow an attacker to create malicious requests and execute arbitrary commands on the system.
Ivanti acknowledged that it had witnessed "a sharp increase in the activity of threat actors" starting from January 11, 2024, after the flaws were publicly disclosed. Successful exploitation of vulnerabilities allows a cybercriminal to perform lateral Movement, steal data and provide constant access to the system, which leads to complete compromise of the target information systems.
Ivanti, which is expected to release a fix update next week, has provided a temporary workaround via an XML file that can be imported into affected products to make the necessary configuration changes.
CISA encourages organizations that use ICS to apply security measures and run an external integrity check tool to detect signs of compromise, and if detected, disconnect them from networks and reboot the device, then import the XML file.
In addition, FCEB organizations are strongly encouraged to revoke and reissue any stored certificates, reset the administrator password, save API keys, and reset the passwords of any local user defined on the gateway.
Cybersecurity companies Volexity and Mandiant have observed attacks using these flaws to deploy web shells and backdoors to permanently access infected devices. It is estimated that about 2,100 devices around the world have been hacked to date.
The initial wave of attacks was recorded in December 2023. Since then, many new groups have joined the active exploitation of vulnerabilities in addition to previously suspected Chinese state hackers (UTA0178 or UNC5221).
