The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have issued a joint advisory warning organizations about an active cyber campaign exploiting vulnerabilities in Ivanti Connect Secure and Policy Secure appliances. This alert comes amid increasing attacks against unpatched systems, with threat actors deploying web shells for persistent access and credential theft.

Critical Vulnerabilities Under Exploitation

The advisory highlights two critical vulnerabilities (CVE-2023-46805 and CVE-2024-21887) being actively exploited in the wild:

  • CVE-2023-46805 (CVSS 8.2): Authentication bypass vulnerability
  • CVE-2024-21887 (CVSS 9.1): Command injection vulnerability

These flaws affect all supported versions of Ivanti Connect Secure (formerly Pulse Secure) and Policy Secure gateways. When chained together, they allow unauthenticated attackers to execute arbitrary commands on affected systems.

Attack Methodology and Indicators

According to CISA's analysis, threat actors are:

  1. Scanning for vulnerable Ivanti appliances exposed to the internet
  2. Exploiting the vulnerabilities to bypass authentication
  3. Deploying web shells with names like check.jsp and ds.jsp
  4. Establishing persistent access and moving laterally
  5. Harvesting credentials and sensitive data

Key indicators of compromise include:

  • Unusual outbound connections to 185.225.73[.]244 and 103.131.189[.]143
  • Presence of suspicious files in /home/webserver/htdocs/
  • Modified system files and new admin accounts

CISA and FBI recommend immediate action:

  1. Apply Patches: Ivanti released fixes on January 31, 2024 - apply immediately
  2. Isolate Affected Systems: Remove compromised appliances from networks
  3. Hunt for IOCs: Search for the provided indicators in network logs
  4. Reset Credentials: All credentials that traversed affected systems
  5. Monitor Authentication Logs: For unusual admin account activity

The Bigger Picture

This campaign represents part of a growing trend targeting edge security appliances. Similar attacks have hit Fortinet, Citrix, and VMware devices in recent years. Cloud service appliances remain prime targets due to their:

  • Perimeter network position
  • Access to internal resources
  • Frequent delays in patch deployment

Organizations using Ivanti products should treat this as a critical incident requiring immediate attention. The advisory notes that even appliances showing 'Mitigation Successful' in Ivanti's integrity checker may still be compromised.

Long-Term Security Recommendations

Beyond immediate patching, CISA suggests:

  • Implementing network segmentation to limit lateral movement
  • Enforcing multi-factor authentication for all remote access
  • Establishing a rigorous patch management program
  • Conducting regular vulnerability assessments

This advisory follows CISA's recent addition of these Ivanti flaws to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to remediate them by February 2, 2024.

Resources for Affected Organizations

CISA provides additional assistance through:

Private sector organizations can report incidents to CISA's 24/7 Operations Center or local FBI field offices.