arstechnica.com
Open in
urlscan Pro
3.19.150.179
Public Scan
Submitted URL: https://t.co/IL6S2zmMKY
Effective URL: https://arstechnica.com/security/2024/01/actively-exploited-0-days-in-ivanti-vpn-are-letting-hackers-backdoor-networks/?...
Submission: On January 12 via manual from CZ — Scanned from DE
Effective URL: https://arstechnica.com/security/2024/01/actively-exploited-0-days-in-ivanti-vpn-are-letting-hackers-backdoor-networks/?...
Submission: On January 12 via manual from CZ — Scanned from DE
Form analysis
1 forms found in the DOMGET /search/
<form action="/search/" method="GET" id="search_form">
<input type="hidden" name="ie" value="UTF-8">
<input type="text" name="q" id="hdr_search_input" value="" aria-label="Search..." placeholder="Search...">
</form>
Text Content
Skip to main content * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Subscribe Close NAVIGATE * Store * Subscribe * Videos * Features * Reviews * RSS Feeds * Mobile Site * About Ars * Staff Directory * Contact Us * Advertise with Ars * Reprints FILTER BY TOPIC * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums SETTINGS Front page layout Grid List Site theme light dark Sign in UNAUTHENTICATED RCE THAT BYPASSES 2FA — ACTIVELY EXPLOITED 0-DAYS IN IVANTI VPN ARE LETTING HACKERS BACKDOOR NETWORKS ORGANIZATIONS USING IVANTI CONNECT SECURE SHOULD TAKE ACTION AT ONCE. Dan Goodin - 1/10/2024, 11:18 PM Enlarge Getty Images READER COMMENTS 12 Unknown threat actors are actively targeting two critical zero-day vulnerabilities that allow them to bypass two-factor authentication and execute malicious code inside networks that use a widely used virtual private network appliance sold by Ivanti, researchers said Wednesday. FURTHER READING More US agencies potentially hacked, this time with Pulse Secure exploits Ivanti reported bare-bones details concerning the zero-days in posts published on Wednesday that urged customers to follow mitigation guidance immediately. Tracked as CVE-2023-46805 and CVE-2024-21887, they reside in Ivanti Connect Secure, a VPN appliance often abbreviated as ICS. Formerly known as Pulse Secure, the widely used VPN has harbored previous zero-days in recent years that came under widespread exploitation, in some cases to devastating effect. EXPLOITERS: START YOUR ENGINES “When combined, these two vulnerabilities make it trivial for attackers to run commands on the system,” researchers from security firm Volexity wrote in a post summarizing their investigative findings of an attack that hit a customer last month. “In this particular incident, the attacker leveraged these exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance.” Researchers Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair, and Thomas Lancaster went on to write: > Volexity observed the attacker modifying legitimate ICS components and making > changes to the system to evade the ICS Integrity Checker Tool. Notably, > Volexity observed the attacker backdooring a legitimate CGI file > (compcheck.cgi) on the ICS VPN appliance to allow command execution. Further, > the attacker also modified a JavaScript file used by the Web SSL VPN component > of the device in order to keylog and exfiltrate credentials for users logging > into it. The information and credentials collected by the attacker allowed > them to pivot to a handful of systems internally, and ultimately gain > unfettered access to systems on the network. The researchers attributed the hacks to a threat actor tracked under the alias UTA0178, which they suspect is a Chinese nation-state-level threat actor. Advertisement Like other VPNs, the ICS sits at the edge of a protected network and acts as the gatekeeper that’s supposed to allow only authorized devices to connect remotely. That position and its always-on status make the appliance ideal for targeting when code-execution vulnerabilities in them are identified. So far, the zero-days appear to have been exploited in low numbers and only in highly targeted attacks, Volexity CEO Steven Adair said in an email. He went on to write: > However, there is a very good chance that could change. There will now be a > potential race to compromise devices before mitigations are applied. It is > also possible that the threat actor could share the exploit or that additional > attackers will otherwise figure out the exploit. If you know the details—the > exploit is quite trivial to pull off and it requires absolutely no > authentication and can be done over the Internet. The entire purposes of these > devices are to provide VPN access, so by nature they sit on the Internet and > are accessible. FURTHER READING Casualties keep growing in this month’s mass exploitation of MOVEit 0-day The threat landscape of 2023 was dominated by the active mass exploitation of a handful of high-impact vulnerabilities tracked under the names Citrix Bleed or designations including CVE-2022-47966, CVE-2023-34362, and CVE-2023-49103, which resided in the Citrix NetScaler Application Delivery Controller and NetScaler Gateway, the MOVEit file-transfer service, and 24 wares sold by Zoho-owned ManageEngine and ownCloud, respectively. Unless affected organizations move more quickly than they did last year to patch their networks, the latest vulnerabilities in the Ivanti appliances may receive the same treatment. Researcher Kevin Beaumont, who proposed “Connect Around” as a moniker for tracking the zero-days, posted results from a scan that showed there were roughly 15,000 affected Ivanti appliances around the world exposed to the Internet. Beaumont said that hackers backed by a nation-state appeared to be behind the attacks on the Ivanti-sold device. Enlarge / Map showing geographic location of ICS deployments, led by the US, Japan, Germany, France, and Canada. Shodan Page: 1 2 Next → READER COMMENTS 12 Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Advertisement CHANNEL ARS TECHNICA UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO Today "Quantum Leap" series creator Donald P. Bellisario joins Ars Technica to answer once and for all the lingering questions we have about his enduringly popular show. Was Dr. Sam Beckett really leaping between all those time periods and people or did he simply imagine it all? What do people in the waiting room do while Sam is in their bodies? What happens to Sam's loyal ally Al? 30 years following the series finale, answers to these mysteries and more await. * UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO * UNSOLVED MYSTERIES OF WARHAMMER 40K WITH AUTHOR DAN ABNETT * SITREP: F-16 REPLACEMENT SEARCH A SIGNAL OF F-35 FAIL? * SITREP: BOEING 707 * STEVE BURKE OF GAMERSNEXUS REACTS TO THEIR TOP 1000 COMMENTS ON YOUTUBE * MODERN VINTAGE GAMER REACTS TO HIS TOP 1000 COMMENTS ON YOUTUBE * HOW THE NES CONQUERED A SKEPTICAL AMERICA IN 1985 * SCOTT MANLEY REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW HORROR WORKS IN AMNESIA: REBIRTH, SOMA AND AMNESIA: THE DARK DESCENT * LGR'S CLINT BASINGER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * THE F-35'S NEXT TECH UPGRADE * HOW ONE GAMEPLAY DECISION CHANGED DIABLO FOREVER * UNSOLVED MORTAL KOMBAT MYSTERIES WITH DOMINIC CIANCIOLO FROM NETHERREALM STUDIOS * US NAVY GETS AN ITALIAN ACCENT * HOW AMAZON’S “UNDONE” ANIMATES DREAMS WITH ROTOSCOPING AND OIL PAINTS * FIGHTER PILOT BREAKS DOWN EVERY BUTTON IN AN F-15 COCKPIT * HOW NBA JAM BECAME A BILLION-DOLLAR SLAM DUNK * LINUS "TECH TIPS" SEBASTIAN REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW ALAN WAKE WAS REBUILT 3 YEARS INTO DEVELOPMENT * HOW PRINCE OF PERSIA DEFEATED APPLE II'S MEMORY LIMITATIONS * HOW CRASH BANDICOOT HACKED THE ORIGINAL PLAYSTATION * MYST: THE CHALLENGES OF CD-ROM | WAR STORIES * MARKIPLIER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW MIND CONTROL SAVED ODDWORLD: ABE'S ODDYSEE * BIOWARE ANSWERS UNSOLVED MYSTERIES OF THE MASS EFFECT UNIVERSE * CIVILIZATION: IT'S GOOD TO TAKE TURNS | WAR STORIES * SITREP: DOD RESETS BALLISTIC MISSILE INTERCEPTOR PROGRAM * WARFRAME'S REBECCA FORD REVIEWS YOUR CHARACTERS * SUBNAUTICA: A WORLD WITHOUT GUNS | WAR STORIES * HOW SLAY THE SPIRE’S ORIGINAL INTERFACE ALMOST KILLED THE GAME | WAR STORIES * AMNESIA: THE DARK DESCENT - THE HORROR FACADE | WAR STORIES * COMMAND & CONQUER: TIBERIAN SUN | WAR STORIES * BLADE RUNNER: SKINJOBS, VOXELS, AND FUTURE NOIR | WAR STORIES * DEAD SPACE: THE DRAG TENTACLE | WAR STORIES * TEACH THE CONTROVERSY: FLAT EARTHERS * DELTA V: THE BURGEONING WORLD OF SMALL ROCKETS, PAUL ALLEN'S HUGE PLANE, AND SPACEX GETS A CRUCIAL GREEN-LIGHT * CHRIS HADFIELD EXPLAINS HIS 'SPACE ODDITY' VIDEO * THE GREATEST LEAP, EPISODE 1: RISK * ULTIMA ONLINE: THE VIRTUAL ECOLOGY | WAR STORIES More videos ← Previous story Next story → RELATED STORIES TODAY ON ARS * Store * Subscribe * About Us * RSS Feeds * View Mobile Site * Contact Us * Staff * Advertise with us * Reprints NEWSLETTER SIGNUP Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox. Sign me up → CNMN Collection WIRED Media Group © 2024 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | Manage Preferences The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices WE CARE ABOUT YOUR PRIVACY We and our 142 partners store and/or access information on a device, such as unique IDs in cookies to process personal data. You may accept or manage your choices by clicking below or at any time in the privacy policy page. These choices will be signaled to our partners and will not affect browsing data.More information about your privacy WE AND OUR PARTNERS PROCESS DATA TO PROVIDE: Use precise geolocation data. Actively scan device characteristics for identification. Store and/or access information on a device. Personalised advertising and content, advertising and content measurement, audience research and services development. List of Partners (vendors) I Accept Show Purposes