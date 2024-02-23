IBM X-Force has been monitoring the evolving campaigns leveraging recently disclosed Ivanti zero days. Initial disclosure by Ivanti was published on January 10th, 2024 and detailed CVE-2023-46805 and CVE-2024-21887 impacting Ivanti Connect Secure and Policy Secure appliances. CVE-2023-46805 pertains to an authentication bypass vulnerability permitting a remote attacker to access restricted resources. The other vulnerability, CVE-2024-21887, is a remote code execution/injection (RCE) vulnerability permitting an authenticated administrator to execute arbitrary commands by sending specially crafted packets. Public reporting indicates a threat actor exploited these vulnerabilities against select targets as early as December 2023.

Multiple vendors have attributed the initial intrusions to a suspected Chinese threat actor tracked as UTA0178 (aka UNC5221). X-Force is currently unable to corroborate this reporting with sufficient confidence to comment. On January 11th and 12th, following the publication of these vulnerabilities, multiple vendors observed mass scanning and exploitation attempts against various organizations. While UTA0178 was reportedly behind some of this increase in activity, similarities in deployed webshells and non-public methodologies have been reported as evidence that these exploits may have been shared with related actors. This proliferation of zero-day exploits similar to the initial campaign/s has been observed in widespread use to opportunistically gain footholds in thousands of organizations before or soon after patches were available. This pattern of activity is consistent with prior campaigns also attributed to suspected Chinese threat actors.

Starting January 16th, proof of concept (POC) exploit code was released for CVE-2023-46805 and CVE-2024-21887. Ivanti disclosed additional vulnerabilities CVE-2024-21893 and CVE-2024-21887 on January 31st for Ivanti Connect Secure, Policy Secure, and ZTA Gateways, with POC exploit code released on February 2nd. CVE-2024-21893 is an SSRF (Server-Side Request Forgery) vulnerability that may permit access to restricted resources without authentication. CVE-2024-21888 is a privilege escalation vulnerability. As of February 8th, Ivanti had identified an additional vulnerability, CVE-2024-22024, which is a XXE vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways that allows an attacker to access certain restricted resources with authentication.