Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Ivanti VPN Exploitation. Show all posts

Lessons from the Ivanti VPN Cyberattack: Security Breaches and Mitigation Strategies

 

The recent cyberattack on Ivanti’s VPN software has prompted swift action from the Cybersecurity and Infrastructure Security Agency (CISA). This incident not only highlights the need for stronger cybersecurity measures but also raises important questions about exploit techniques, organizational responses to security breaches, and the escalating costs associated with downtime. 

The vulnerabilities in Ivanti’s VPN gateway allowed threat actors to bypass authentication and gain unauthorized access. Attackers could send maliciously crafted packets to infiltrate the system without needing to steal credentials, giving them access to user credentials, including domain administrator credentials. A second vulnerability enabled the injection of malicious code into the Ivanti appliance, allowing attackers to maintain persistent access, even after reboots or patches. Security researchers, including Mandiant, identified that Ivanti’s initial mitigations were insufficient. 

CISA warned that Ivanti’s interim containment measures were not adequate to detect compromises, leaving systems vulnerable to persistent threats. This uncertainty about the effectiveness of proposed mitigations necessitated CISA’s prompt intervention. The ability of attackers to gain persistent access to a VPN gateway poses significant risks. From this trusted position, attackers can move laterally within the network, accessing critical credentials and data. The compromise of the VPN allowed attackers to take over stored privileged administrative account credentials, a much more severe threat than the initial breach. In response to the breach, CISA advised organizations to assume that critical credentials had been stolen. 

Ivanti’s failure to detect the compromise allowed attackers to operate within a trusted zone, bypassing zero-trust principles and exposing sensitive data to heightened risks. The severity of the vulnerabilities led CISA to take the unusual step of taking two of Ivanti’s systems offline, a decision made to protect the most sensitive credentials. Despite later clarifications from Ivanti that patches could have been applied more discreetly, the miscommunications highlight the importance of clear, open channels during a crisis. Mixed messages can lead to unnecessary chaos and confusion. System-level downtime is costly, both in terms of IT resources required for shutdown and recovery and the losses incurred from service outages. 

The exact cost of Ivanti’s downtime remains uncertain, but for mission-critical systems, such interruptions are extremely expensive. This incident serves as a warning about the costs of addressing the aftermath of a cyberattack. CISA’s decision to shut down the systems was based on the potential blast radius of the attack. The trusted position of the VPN gateway and the ability to export stored credentials made lateral movement easier for attackers. 

Building systems based on the principle of least privilege can help minimize the blast radius of attacks, reducing the need for broad shutdowns. The Ivanti VPN cyberattack underscores the pressing need for robust cybersecurity measures. Organizations must adopt proactive infrastructure design and response strategies to mitigate risks and protect critical assets. Reducing the number of high-value targets in IT infrastructure is crucial. Privileged account credentials and stored keys are among the highest value targets, and IT leaders should prioritize strategies and technologies that minimize or eliminate such targets. 

MITRE Breach: State Hackers Exploit Ivanti Zero-Days


A state-backed hacking group successfully breached MITRE Corporation’s systems in January 2024 by exploiting two Ivanti VPN zero-day vulnerabilities. 

The incident was detected after suspicious activity was observed on MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network used for research and development. Fortunately, the breach did not impact MITRE’s core enterprise network or its partners’ systems.

The MITRE Corporation

The MITRE Corporation claims that in January 2024, a state-sponsored hacking organization infiltrated its systems by chaining two Ivanti VPN zero-days.

The issue was discovered when suspicious activity was noticed on MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaboration network for research and development.

So far, evidence gathered throughout the inquiry indicates that the breach had no impact on the organization's core enterprise network or the systems of its partners.

The Breach

MITRE has since alerted affected parties of the incident, contacted appropriate authorities, and is currently attempting to restore "operational alternatives."

"No organization is immune to this type of cyber attack, not even one that strives for the highest level of cybersecurity," MITRE CEO Jason Providakes stated on Friday.

MITRE CTO Charles Clancy and Cybersecurity Engineer Lex Crumpton noted in a separate advisory that the threat actors broke into one of MITRE's Virtual Private Networks (VPNs) by chaining two Ivanti Connect Secure zero-days.

They were also able to circumvent multi-factor authentication (MFA) barriers by exploiting session hijacking, which allowed them to travel laterally around the penetrated network's VMware architecture using a compromised administrator account.

Throughout the event, the hackers exploited a combination of sophisticated webshells and backdoors to gain access to compromised systems and harvest credentials.

Since early December, two security vulnerabilities, an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887), have been used to distribute several malware families for espionage objectives.

Global Impact

Mandiant tied these assaults to an advanced persistent threat (APT) known as UNC5221, while Volexity discovered evidence that Chinese state-sponsored hackers were using the two zero-days.

Volexity stated that Chinese hackers backdoored over 2,100 Ivanti appliances, gathering and stealing account and session data from compromised networks. The victims ranged in size from small firms to some of the world's largest organizations, including Fortune 500 companies in a variety of industries.

Because of their widespread exploitation and large attack surface, CISA issued this year's first emergency directive on January 19, instructing government agencies to mitigate the Ivanti zero-days immediately.