Exclusive first look at Coalition’s new cyber claims dataGet the 2024 Cyber Claims Report
Cyber Incident? Get Help

Ivanti VPN Zero-Day Avoided with Device Isolation

Blog: Security Alert: Ivanti VPN Zero-Day Avoided with Device Isolation

The situation regarding Ivanti continues to evolve. On Jan 31, 2024, two new CVEs, which can be leveraged for remote code execution (RCE), were added to the existing advisory. These additional CVEs present a substantial risk to businesses running Ivanti devices. Check Ivanti's website for up-to-date information on patching and remediation.

Virtual private networks (VPNs) are meant to provide a secure network connection for employees. Unfortunately, VPNs can also be attractive targets for threat actors seeking unauthorized access to corporate networks.

On January 10, 2024, Ivanti publicly disclosed two zero-day vulnerabilities impacting Ivanti Connect Secure VPN appliances. When combined, these vulnerabilities allow threat actors to bypass authentication checks and run arbitrary commands, potentially enabling them to execute several cyber attacks. Although no ransomware cases have been reported, the number of exploited devices has steadily grown since disclosure.

If Ivanti users did not apply the vulnerability mitigationnot a patch —upon release on January 10, threat actors may have already compromised their devices. Coalition contacted impacted policyholders almost immediately and, through the combined efforts of several teams, has seen success in avoiding cyber incidents through proactive engagement. 

How did Coalition respond to the Ivanti vulnerability?

After identifying all Coalition policyholders using the vulnerable Ivanti devices, we looked at our honeypot data to identify parties attempting to enumerate and exploit the vulnerability. Our honeypot data showed a spike in traffic scanning for Ivanti devices beginning seven days before the January 10 disclosure. The first spike saw 100 hits for Ivanti devices, while the previous day only saw 14. 

Coalition Honeypot Activity — Ivanti

Coalition's Security Support Center (SSC) began outreach on January 11, 2024. Due to the likelihood that devices had already been compromised, Coalition Incident Response (CIR), an affiliate of Coalition, Inc., proactively contacted policyholders because of the risk that threat actor groups could install backdoors or cryptominers. 

From here, CIR essentially began threat hunting. Threat hunting is hypothesis-driven and starts with the assumption that a threat actor is likely inside a network and tries to find and evict them before they can cause serious harm to a business.

Case study: Partnering with policyholders to mitigate risks

A biotechnology company was using Ivanti devices as part of its security boundary.* Boundary devices, like VPNs, function similar to physical checkpoints that users must pass through to gain additional access to a place (or information in the case of a network).

CIR partnered with the company's Head of IT to determine if the company had been adversely impacted. The policyholder had identified a potentially malicious file on one of its Ivanti devices after running the external integrity checking tool and disabled external connections to the Ivanti device. The policyholder allowed one internal connection to one internal device for post-exploitation activity monitoring.

In collaboration with CIR, the company confirmed that it had reviewed logins on both the Ivanti devices and elsewhere in the network. The company had endpoint detection and response (EDR) in place and used a service — managed detection and response (MDR) — to review the EDR logs when its internal team was unavailable. 

Because the biotech company took the alert seriously, responded to our outreach, and followed the necessary steps to mitigate the risk, it was able to successfully avoid a cyber incident.

What can policyholders do?

Policyholders may be surprised to receive proactive outreach from Coalition because they aren't used to an insurance company doing more than sending them a yearly renewal. When we're able to establish a baseline of trust with our policyholders, they collaborate with us to resolve vulnerabilities. Our incentives are aligned — we both want to take active steps to reduce risk and avoid adverse cyber incidents and future claims.

Boundary devices, like Ivanti VPNs, are designed to keep threat actors out of a network, so it's quite serious when these devices are vulnerable. Currently, no patch is available, but Ivanti has released a mitigation that can be downloaded and imported into Ivanti devices. 

Users can also run the external integrity checking tool to identify any misconfigurations in their Ivanti devices. Removing the device from the public internet can also mitigate the risk associated with the vulnerabilities. As a best practice, we recommend businesses running Ivanti devices monitor for any suspicious activity that could be indicators of compromise (IOCs), including:

  • Account creations

  • Logins from unexpected devices or locations

  • New requests for access or elevation of privileges

Businesses looking to enhance their security posture can also sign up for around-the-clock monitoring with Coalition Security Services Managed Detection and Response (MDR) provided by CIR. MDR provides businesses with continuous monitoring without the cost associated with standing up a 24/7 security operations center (SOC).

Learn more about MDR from Coalition Security Services.

*The claim scenarios described here are intended to show the types of situations that may result in claims. These scenarios should not be compared to any other claim. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued and applicable law.
Insurance products referenced herein are offered by Coalition Insurance Solutions, Inc. (“CIS”), a licensed insurance producer with its principal place of business in San Francisco, CA (Cal. license #0L76155), acting on behalf of a number of unaffiliated insurance companies. A list of our admitted carriers is available here. Complete license information for CIS is available here. Insurance products offered through CIS may not be available in all states. All insurance products are governed by the terms and conditions set forth in the applicable insurance policy. Please see a copy of your policy for the full terms and conditions. Any information on this communication does not in any way alter, supplement, or amend the terms and conditions of the applicable insurance policy and is intended only as a brief summary of such insurance products. Policy obligations are the sole responsibility of the issuing insurance carrier. The descriptions provided herein are solely for informational purposes and are not to be construed as advice of any kind or the rendering of consulting, financial, legal, or other professional services from Coalition. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information.