arstechnica.com Open in urlscan Pro
3.19.150.179  Public Scan

Form analysis
1 forms found in the DOM

GET /search/

<form action="/search/" method="GET" id="search_form">
  <input type="hidden" name="ie" value="UTF-8">
  <input type="text" name="q" id="hdr_search_input" value="" aria-label="Search..." placeholder="Search...">
</form>

Text Content

Skip to main content
 * Biz & IT
 * Tech
 * Science
 * Policy
 * Cars
 * Gaming & Culture
 * Store
 * Forums

Subscribe

Close


NAVIGATE

 * Store
 * Subscribe
 * Videos
 * Features
 * Reviews

 * RSS Feeds
 * Mobile Site

 * About Ars
 * Staff Directory
 * Contact Us

 * Advertise with Ars
 * Reprints


FILTER BY TOPIC

 * Biz & IT
 * Tech
 * Science
 * Policy
 * Cars
 * Gaming & Culture
 * Store
 * Forums


SETTINGS

Front page layout


Grid


List


Site theme

light

dark

Sign in

UNAUTHENTICATED RCE THAT BYPASSES 2FA —


ACTIVELY EXPLOITED 0-DAYS IN IVANTI VPN ARE LETTING HACKERS BACKDOOR NETWORKS


ORGANIZATIONS USING IVANTI CONNECT SECURE SHOULD TAKE ACTION AT ONCE.

Dan Goodin - 1/10/2024, 11:18 PM

Enlarge
Getty Images

READER COMMENTS

12

Unknown threat actors are actively targeting two critical zero-day
vulnerabilities that allow them to bypass two-factor authentication and execute
malicious code inside networks that use a widely used virtual private network
appliance sold by Ivanti, researchers said Wednesday.




FURTHER READING

More US agencies potentially hacked, this time with Pulse Secure exploits
Ivanti reported bare-bones details concerning the zero-days in posts published
on Wednesday that urged customers to follow mitigation guidance immediately.
Tracked as CVE-2023-46805 and CVE-2024-21887, they reside in Ivanti Connect
Secure, a VPN appliance often abbreviated as ICS. Formerly known as Pulse
Secure, the widely used VPN has harbored previous zero-days in recent years that
came under widespread exploitation, in some cases to devastating effect.


EXPLOITERS: START YOUR ENGINES

“When combined, these two vulnerabilities make it trivial for attackers to run
commands on the system,” researchers from security firm Volexity wrote in a post
summarizing their investigative findings of an attack that hit a customer last
month. “In this particular incident, the attacker leveraged these exploits to
steal configuration data, modify existing files, download remote files, and
reverse tunnel from the ICS VPN appliance.” Researchers Matthew Meltzer, Robert
Jan Mora, Sean Koessel, Steven Adair, and Thomas Lancaster went on to write:

> Volexity observed the attacker modifying legitimate ICS components and making
> changes to the system to evade the ICS Integrity Checker Tool. Notably,
> Volexity observed the attacker backdooring a legitimate CGI file
> (compcheck.cgi) on the ICS VPN appliance to allow command execution. Further,
> the attacker also modified a JavaScript file used by the Web SSL VPN component
> of the device in order to keylog and exfiltrate credentials for users logging
> into it. The information and credentials collected by the attacker allowed
> them to pivot to a handful of systems internally, and ultimately gain
> unfettered access to systems on the network.

The researchers attributed the hacks to a threat actor tracked under the alias
UTA0178, which they suspect is a Chinese nation-state-level threat actor.

Advertisement


Like other VPNs, the ICS sits at the edge of a protected network and acts as the
gatekeeper that’s supposed to allow only authorized devices to connect remotely.
That position and its always-on status make the appliance ideal for targeting
when code-execution vulnerabilities in them are identified. So far, the
zero-days appear to have been exploited in low numbers and only in highly
targeted attacks, Volexity CEO Steven Adair said in an email. He went on to
write:

> However, there is a very good chance that could change. There will now be a
> potential race to compromise devices before mitigations are applied. It is
> also possible that the threat actor could share the exploit or that additional
> attackers will otherwise figure out the exploit. If you know the details—the
> exploit is quite trivial to pull off and it requires absolutely no
> authentication and can be done over the Internet. The entire purposes of these
> devices are to provide VPN access, so by nature they sit on the Internet and
> are accessible.




FURTHER READING

Casualties keep growing in this month’s mass exploitation of MOVEit 0-day
The threat landscape of 2023 was dominated by the active mass exploitation of a
handful of high-impact vulnerabilities tracked under the names Citrix Bleed or
designations including CVE-2022-47966, CVE-2023-34362, and CVE-2023-49103, which
resided in the Citrix NetScaler Application Delivery Controller and NetScaler
Gateway, the MOVEit file-transfer service, and 24 wares sold by Zoho-owned
ManageEngine and ownCloud, respectively. Unless affected organizations move more
quickly than they did last year to patch their networks, the latest
vulnerabilities in the Ivanti appliances may receive the same treatment.


Researcher Kevin Beaumont, who proposed “Connect Around” as a moniker for
tracking the zero-days, posted results from a scan that showed there were
roughly 15,000 affected Ivanti appliances around the world exposed to the
Internet. Beaumont said that hackers backed by a nation-state appeared to be
behind the attacks on the Ivanti-sold device.

Enlarge / Map showing geographic location of ICS deployments, led by the US,
Japan, Germany, France, and Canada.
Shodan
Page: 1 2 Next →



READER COMMENTS

12
Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he
oversees coverage of malware, computer espionage, botnets, hardware hacking,
encryption, and passwords. In his spare time, he enjoys gardening, cooking, and
following the independent music scene.

Advertisement




CHANNEL ARS TECHNICA

UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO

Today "Quantum Leap" series creator Donald P. Bellisario joins Ars Technica to
answer once and for all the lingering questions we have about his enduringly
popular show. Was Dr. Sam Beckett really leaping between all those time periods
and people or did he simply imagine it all? What do people in the waiting room
do while Sam is in their bodies? What happens to Sam's loyal ally Al? 30 years
following the series finale, answers to these mysteries and more await.

 * UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO

 * UNSOLVED MYSTERIES OF WARHAMMER 40K WITH AUTHOR DAN ABNETT

 * SITREP: F-16 REPLACEMENT SEARCH A SIGNAL OF F-35 FAIL?

 * SITREP: BOEING 707

 * STEVE BURKE OF GAMERSNEXUS REACTS TO THEIR TOP 1000 COMMENTS ON YOUTUBE

 * MODERN VINTAGE GAMER REACTS TO HIS TOP 1000 COMMENTS ON YOUTUBE

 * HOW THE NES CONQUERED A SKEPTICAL AMERICA IN 1985

 * SCOTT MANLEY REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW HORROR WORKS IN AMNESIA: REBIRTH, SOMA AND AMNESIA: THE DARK DESCENT

 * LGR'S CLINT BASINGER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * THE F-35'S NEXT TECH UPGRADE

 * HOW ONE GAMEPLAY DECISION CHANGED DIABLO FOREVER

 * UNSOLVED MORTAL KOMBAT MYSTERIES WITH DOMINIC CIANCIOLO FROM NETHERREALM
   STUDIOS

 * US NAVY GETS AN ITALIAN ACCENT

 * HOW AMAZON’S “UNDONE” ANIMATES DREAMS WITH ROTOSCOPING AND OIL PAINTS

 * FIGHTER PILOT BREAKS DOWN EVERY BUTTON IN AN F-15 COCKPIT

 * HOW NBA JAM BECAME A BILLION-DOLLAR SLAM DUNK

 * LINUS "TECH TIPS" SEBASTIAN REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW ALAN WAKE WAS REBUILT 3 YEARS INTO DEVELOPMENT

 * HOW PRINCE OF PERSIA DEFEATED APPLE II'S MEMORY LIMITATIONS

 * HOW CRASH BANDICOOT HACKED THE ORIGINAL PLAYSTATION

 * MYST: THE CHALLENGES OF CD-ROM | WAR STORIES

 * MARKIPLIER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW MIND CONTROL SAVED ODDWORLD: ABE'S ODDYSEE

 * BIOWARE ANSWERS UNSOLVED MYSTERIES OF THE MASS EFFECT UNIVERSE

 * CIVILIZATION: IT'S GOOD TO TAKE TURNS | WAR STORIES

 * SITREP: DOD RESETS BALLISTIC MISSILE INTERCEPTOR PROGRAM

 * WARFRAME'S REBECCA FORD REVIEWS YOUR CHARACTERS

 * SUBNAUTICA: A WORLD WITHOUT GUNS | WAR STORIES

 * HOW SLAY THE SPIRE’S ORIGINAL INTERFACE ALMOST KILLED THE GAME | WAR STORIES

 * AMNESIA: THE DARK DESCENT - THE HORROR FACADE | WAR STORIES

 * COMMAND & CONQUER: TIBERIAN SUN | WAR STORIES

 * BLADE RUNNER: SKINJOBS, VOXELS, AND FUTURE NOIR | WAR STORIES

 * DEAD SPACE: THE DRAG TENTACLE | WAR STORIES

 * TEACH THE CONTROVERSY: FLAT EARTHERS

 * DELTA V: THE BURGEONING WORLD OF SMALL ROCKETS, PAUL ALLEN'S HUGE PLANE, AND
   SPACEX GETS A CRUCIAL GREEN-LIGHT

 * CHRIS HADFIELD EXPLAINS HIS 'SPACE ODDITY' VIDEO

 * THE GREATEST LEAP, EPISODE 1: RISK

 * ULTIMA ONLINE: THE VIRTUAL ECOLOGY | WAR STORIES

More videos
← Previous story Next story →


RELATED STORIES




TODAY ON ARS

 * Store
 * Subscribe
 * About Us
 * RSS Feeds
 * View Mobile Site

 * Contact Us
 * Staff
 * Advertise with us
 * Reprints


NEWSLETTER SIGNUP

Join the Ars Orbital Transmission mailing list to get weekly updates delivered
to your inbox. Sign me up →



CNMN Collection
WIRED Media Group
© 2024 Condé Nast. All rights reserved. Use of and/or registration on any
portion of this site constitutes acceptance of our User Agreement (updated
1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars
Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from
links on this site. Read our affiliate link policy.
Your California Privacy Rights | Manage Preferences
The material on this site may not be reproduced, distributed, transmitted,
cached or otherwise used, except with the prior written permission of Condé
Nast.
Ad Choices





WE CARE ABOUT YOUR PRIVACY

We and our 142 partners store and/or access information on a device, such as
unique IDs in cookies to process personal data. You may accept or manage your
choices by clicking below or at any time in the privacy policy page. These
choices will be signaled to our partners and will not affect browsing data.More
information about your privacy


WE AND OUR PARTNERS PROCESS DATA TO PROVIDE:

Use precise geolocation data. Actively scan device characteristics for
identification. Store and/or access information on a device. Personalised
advertising and content, advertising and content measurement, audience research
and services development. List of Partners (vendors)

I Accept
Show Purposes