Article Details
Scrape Timestamp (UTC): 2024-03-01 06:33:09.965
Source: https://thehackernews.com/2024/03/five-eyes-agencies-warn-of-active.html
Original Article Text
Click to Toggle View
Five Eyes Agencies Warn of Active Exploitation of Ivanti Gateway Vulnerabilities. The Five Eyes (FVEY) intelligence alliance has issued a new cybersecurity advisory warning of cyber threat actors exploiting known security flaws in Ivanti Connect Secure and Ivanti Policy Secure gateways, noting that the Integrity Checker Tool (ICT) can be deceived to provide a false sense of security. "Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets," the agencies said. To date, Ivanti has disclosed five security vulnerabilities impacting its products since January 10, 2024, out of which four have come under active exploitation by multiple threat actors to deploy malware - Mandiant, in an analysis published this week, described how an encrypted version of malware known as BUSHWALK is placed in a directory excluded by ICT in /data/runtime/cockpit/diskAnalysis. The directory exclusions were also previously highlighted by Eclypsium this month, stating the tool skips a dozen directories from being scanned, thus allowing an attacker to leave behind backdoors in one of these paths and still pass the integrity check. "The safest course of action for network defenders is to assume a sophisticated threat actor may deploy rootkit level persistence on a device that has been reset and lay dormant for an arbitrary amount of time," agencies from Australia, Canada, New Zealand, the U.K., and the U.S. said. They also urged organizations to "consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment." Ivanti, in response to the advisory, said it's not aware of any instances of successful threat actor persistence following the implementation of security updates and factory resets. It's also releasing a new version of ICT that it said "provides additional visibility into a customer's appliance and all files that are present on the system." ⚡ Free Risk Assessment from Vanta Generate a gap assessment of your security and compliance posture, discover shadow IT, and more.
Daily Brief Summary
The Five Eyes intelligence alliance (FVEY) has alerted about cyber threat actors exploiting Ivanti Connect Secure and Ivanti Policy Secure gateway vulnerabilities.
Despite factory resets, attackers may maintain root-level persistence, evading detection by Ivanti's Integrity Checker Tool (ICT), which is deceived by directory exclusions.
Ivanti has acknowledged five security flaws since January 10, 2024, with four actively exploited to deploy malware, including an encrypted variant called BUSHWALK.
Threat actors have been able to install backdoors due to the ICT not scanning certain directories, as highlighted by both Mandiant and Eclypsium.
The Five Eyes recommend that network defenders operate under the assumption that sophisticated actors could maintain persistent access to compromised devices.
Organizations using Ivanti gateways are urged to assess the significant risks of continued operation amid these security concerns.
Ivanti has responded by releasing a new version of ICT for improved detection and states there have been no successful persistences post-security updates and resets.