Ivanti VPN Zero-Day Avoided with Device Isolation
The situation regarding Ivanti continues to evolve. On Jan 31, 2024, two new CVEs, which can be leveraged for remote code execution (RCE), were added to the existing advisory. These additional CVEs present a substantial risk to businesses running Ivanti devices. Check Ivanti's website for up-to-date information on patching and remediation.
Virtual private networks (VPNs) are meant to provide a secure network connection for employees. Unfortunately, VPNs can also be attractive targets for threat actors seeking unauthorized access to corporate networks.
On January 10, 2024, Ivanti publicly disclosed two zero-day vulnerabilities impacting Ivanti Connect Secure VPN appliances. When combined, these vulnerabilities allow threat actors to bypass authentication checks and run arbitrary commands, potentially enabling them to execute several cyber attacks. Although no ransomware cases have been reported, the number of exploited devices has steadily grown since disclosure.
If Ivanti users did not apply the vulnerability mitigation — not a patch —upon release on January 10, threat actors may have already compromised their devices. Coalition contacted impacted policyholders almost immediately and, through the combined efforts of several teams, has seen success in avoiding cyber incidents through proactive engagement.
How did Coalition respond to the Ivanti vulnerability?
After identifying all Coalition policyholders using the vulnerable Ivanti devices, we looked at our honeypot data to identify parties attempting to enumerate and exploit the vulnerability. Our honeypot data showed a spike in traffic scanning for Ivanti devices beginning seven days before the January 10 disclosure. The first spike saw 100 hits for Ivanti devices, while the previous day only saw 14.
Coalition's Security Support Center (SSC) began outreach on January 11, 2024. Due to the likelihood that devices had already been compromised, Coalition Incident Response (CIR), an affiliate of Coalition, Inc., proactively contacted policyholders because of the risk that threat actor groups could install backdoors or cryptominers.
From here, CIR essentially began threat hunting. Threat hunting is hypothesis-driven and starts with the assumption that a threat actor is likely inside a network and tries to find and evict them before they can cause serious harm to a business.
Case study: Partnering with policyholders to mitigate risks
A biotechnology company was using Ivanti devices as part of its security boundary.* Boundary devices, like VPNs, function similar to physical checkpoints that users must pass through to gain additional access to a place (or information in the case of a network).
CIR partnered with the company's Head of IT to determine if the company had been adversely impacted. The policyholder had identified a potentially malicious file on one of its Ivanti devices after running the external integrity checking tool and disabled external connections to the Ivanti device. The policyholder allowed one internal connection to one internal device for post-exploitation activity monitoring.
In collaboration with CIR, the company confirmed that it had reviewed logins on both the Ivanti devices and elsewhere in the network. The company had endpoint detection and response (EDR) in place and used a service — managed detection and response (MDR) — to review the EDR logs when its internal team was unavailable.
Because the biotech company took the alert seriously, responded to our outreach, and followed the necessary steps to mitigate the risk, it was able to successfully avoid a cyber incident.
What can policyholders do?
Policyholders may be surprised to receive proactive outreach from Coalition because they aren't used to an insurance company doing more than sending them a yearly renewal. When we're able to establish a baseline of trust with our policyholders, they collaborate with us to resolve vulnerabilities. Our incentives are aligned — we both want to take active steps to reduce risk and avoid adverse cyber incidents and future claims.
Boundary devices, like Ivanti VPNs, are designed to keep threat actors out of a network, so it's quite serious when these devices are vulnerable. Currently, no patch is available, but Ivanti has released a mitigation that can be downloaded and imported into Ivanti devices.
Users can also run the external integrity checking tool to identify any misconfigurations in their Ivanti devices. Removing the device from the public internet can also mitigate the risk associated with the vulnerabilities. As a best practice, we recommend businesses running Ivanti devices monitor for any suspicious activity that could be indicators of compromise (IOCs), including:
Logins from unexpected devices or locations
New requests for access or elevation of privileges
Businesses looking to enhance their security posture can also sign up for around-the-clock monitoring with Coalition Security Services Managed Detection and Response (MDR) provided by CIR. MDR provides businesses with continuous monitoring without the cost associated with standing up a 24/7 security operations center (SOC).
Learn more about MDR from Coalition Security Services.