#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Insider Risk Management

Ivanti | Breaking Cybersecurity News | The Hacker News

China-Linked Hackers Used ROOTROT Webshell in MITRE Network Intrusion

China-Linked Hackers Used ROOTROT Webshell in MITRE Network Intrusion
May 07, 2024 Vulnerability / Network Security
The MITRE Corporation has offered more details into the recently disclosed cyber attack, stating that the first evidence of the intrusion now dates back to December 31, 2023. The attack, which  came to light last month , singled out MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE) through the exploitation of two Ivanti Connect Secure zero-day vulnerabilities tracked as CVE-2023–46805 and CVE-2024–21887, respectively. "The adversary maneuvered within the research network via VMware infrastructure using a compromised administrator account, then employed a combination of backdoors and web shells to maintain persistence and harvest credentials," MITRE  said . While the organization had previously disclosed that the attackers performed reconnaissance of its networks starting in January 2024, the latest technical deep dive puts the earliest signs of compromise in late December 2023, with the adversary dropping a Perl-based web shell calle

Researchers Identify Multiple China Hacker Groups Exploiting Ivanti Security Flaws

Researchers Identify Multiple China Hacker Groups Exploiting Ivanti Security Flaws
Apr 05, 2024 Advanced Persistent Threat
Multiple China-nexus threat actors have been linked to the zero-day exploitation of three security flaws impacting Ivanti appliances (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893). The clusters are being tracked by Mandiant under the uncategorized monikers  UNC5221 , UNC5266, UNC5291,  UNC5325 , UNC5330, and UNC5337. Also previously linked to the exploitation spree is a Chinese hacking crew called UNC3886 , whose tradecraft is notable for weaponizing zero-day bugs in Fortinet and VMware to breach target networks. The Google Cloud subsidiary said it has also observed financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, likely in an attempt to conduct cryptocurrency mining operations. "UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments,"

Ivanti Rushes Patches for 4 New Flaws in Connect Secure and Policy Secure

Ivanti Rushes Patches for 4 New Flaws in Connect Secure and Policy Secure
Apr 04, 2024 Network Security / Vulnerability
Ivanti has released security updates to address four security flaws impacting Connect Secure and Policy Secure Gateways that could result in code execution and denial-of-service (DoS). The list of flaws is as follows - CVE-2024-21894  (CVSS score: 8.2) - A heap overflow vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack. In certain conditions, this may lead to execution of arbitrary code. CVE-2024-22052  (CVSS score: 7.5) - A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack. CVE-2024-22053  (CVSS score: 8.2) - A heap overflow vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 2

Protecting Your Organization From Insider Threats - All You Need to Know

cyber security
websiteWing SecuritySaaS Security
Get practical insights and strategies to manage inadequate offboarding and insider risks effectively.

What's the Right EDR for You?

What's the Right EDR for You?
May 10, 2024Endpoint Security / Threat Detection
A guide to finding the right endpoint detection and response (EDR) solution for your business' unique needs. Cybersecurity has become an ongoing battle between hackers and small- and mid-sized businesses. Though perimeter security measures like antivirus and firewalls have traditionally served as the frontlines of defense, the battleground has shifted to endpoints. This is why endpoint detection and response (EDR) solutions now serve as critical weapons in the fight, empowering you and your organization to detect known and unknown threats, respond to them quickly, and extend the cybersecurity fight across all phases of an attack.  With the growing need to defend your devices from today's cyber threats, however, choosing the right EDR solution can be a daunting task. There are so many options and features to choose from, and not all EDR solutions are made with everyday businesses and IT teams in mind. So how do you pick the best solution for your needs? Why EDR Is a Must Because of

CISA Alerts on Active Exploitation of Flaws in Fortinet, Ivanti, and Nice Products

CISA Alerts on Active Exploitation of Flaws in Fortinet, Ivanti, and Nice Products
Mar 26, 2024 Cyber Attack / Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday  placed  three security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerabilities added are as follows - CVE-2023-48788  (CVSS score: 9.3) - Fortinet FortiClient EMS SQL Injection Vulnerability CVE-2021-44529  (CVSS score: 9.8) - Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability CVE-2019-7256  (CVSS score: 10.0) - Nice Linear eMerge E3-Series OS Command Injection Vulnerability The shortcoming impacting Fortinet FortiClient EMS  came to light  earlier this month, with the company describing it as a flaw that could allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests. Fortinet has since revised its advisory to confirm that it has been exploited in the wild, although no other details regarding the nature of the attacks are currently available. CVE-20

Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability

Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability
Mar 21, 2024 Vulnerability / Web Security
Ivanti has disclosed details of a critical remote code execution flaw impacting Standalone Sentry, urging customers to apply the fixes immediately to stay protected against potential cyber threats. Tracked as  CVE-2023-41724 , the vulnerability carries a CVSS score of 9.6. "An unauthenticated threat actor can execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network," the company  said . The flaw impacts all supported versions 9.17.0, 9.18.0, and 9.19.0, as well as older versions. The company said it has made available a patch (versions 9.17.1, 9.18.1, and 9.19.1) that can be downloaded via the standard download portal. It credited Vincent Hutsebaut, Pierre Vivegnis, Jerome Nokin, Roberto Suggi Liverani and Antonin B. of NATO Cyber Security Centre for "their collaboration on this issue." Ivanti emphasized that it's not aware of any customers affected by CVE-2023-41724, and  added  that "

Five Eyes Agencies Warn of Active Exploitation of Ivanti Gateway Vulnerabilities

Five Eyes Agencies Warn of Active Exploitation of Ivanti Gateway Vulnerabilities
Mar 01, 2024 Rootkit / Threat Intelligence
The Five Eyes (FVEY) intelligence alliance has issued a new cybersecurity advisory warning of cyber threat actors exploiting known security flaws in Ivanti Connect Secure and Ivanti Policy Secure gateways, noting that the Integrity Checker Tool (ICT) can be deceived to provide a false sense of security. "Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets," the agencies  said . To date, Ivanti has disclosed five security vulnerabilities impacting its products since January 10, 2024, out of which four have come under active exploitation by multiple threat actors to deploy malware - CVE-2023-46805  (CVSS score: 8.2) - Authentication bypass vulnerability in web component CVE-2024-21887  (CVSS score: 9.1) - Command injection vulnerability in web component CVE-2024-21888  (CVSS score: 8.8) - Privilege escalation vulnerability in web component CVE-2024-21893  (CVSS score: 8

Ivanti Pulse Secure Found Using 11-Year-Old Linux Version and Outdated Libraries

Ivanti Pulse Secure Found Using 11-Year-Old Linux Version and Outdated Libraries
Feb 15, 2024 Firmware Security / Reverse Engineering
A reverse engineering of the firmware running on Ivanti Pulse Secure appliances has revealed numerous weaknesses, once again underscoring the challenge of securing software supply chains. Eclypsiusm, which acquired firmware version 9.1.18.2-24467.1 as part of the process, said the base operating system used by the Utah-based software company for the device is CentOS 6.4. "Pulse Secure runs an 11-year-old version of Linux which hasn't been supported since November 2020," the firmware security company  said  in a report shared with The Hacker News. The development comes as threat actors are capitalizing on a number of security flaws discovered in Ivanti Connect Secure, Policy Secure, and ZTA gateways to  deliver  a  wide range of malware , including web shells, stealers, and backdoors. The vulnerabilities that have come under active exploitation in recent months comprise CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. Last week, Ivanti also  disclosed  another bug

Ivanti Vulnerability Exploited to Install 'DSLog' Backdoor on 670+ IT Infrastructures

Ivanti Vulnerability Exploited to Install 'DSLog' Backdoor on 670+ IT Infrastructures
Feb 13, 2024 Vulnerability / Cyber Threat
Threat actors are leveraging a recently disclosed security flaw impacting Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy a backdoor codenamed  DSLog  on susceptible devices. That's according to  findings  from Orange Cyberdefense, which said it observed the exploitation of CVE-2024-21893 within hours of the public release of the proof-the-concept (PoC) code. CVE-2024-21893, which was  disclosed  by Ivanti late last month alongside CVE-2024-21888, refers to a server-side request forgery (SSRF) vulnerability in the SAML module that, if successfully exploited, could permit access to otherwise restricted resources sans any authentication. The Utah-based company has since acknowledged that the flaw has limited targeted attacks, although the exact scale of the compromises is unclear. Then, last week, the Shadowserver Foundation  revealed  a surge in exploitation attempts targeting the vulnerability originating from over 170 unique IP addresses, shortly after both

Warning: New Ivanti Auth Bypass Flaw Affects Connect Secure and ZTA Gateways

Warning: New Ivanti Auth Bypass Flaw Affects Connect Secure and ZTA Gateways
Feb 09, 2024 Vulnerability / Zero Day
Ivanti has alerted customers of yet another high-severity security flaw in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication. The issue, tracked as  CVE-2024-22024 , is rated 8.3 out of 10 on the CVSS scoring system. "An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication," the company  said  in an advisory. The company said it discovered the flaw during an internal review as part of its ongoing investigation into multiple security weaknesses in the products that have come to light since the start of the year, including  CVE-2023-46805, CVE-2024-21887 ,  CVE-2024-21888, and CVE-2024-21893 . CVE-2024-22024 affects the following versions of the products - Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, a

Warning: New Malware Emerges in Attacks Exploiting Ivanti VPN Vulnerabilities

Warning: New Malware Emerges in Attacks Exploiting Ivanti VPN Vulnerabilities
Feb 01, 2024 Network Security / Malware
Google-owned Mandiant said it identified new malware employed by a China-nexus espionage threat actor known as UNC5221 and other threat groups during post-exploitation activity targeting Ivanti Connect Secure VPN and Policy Secure devices. This includes custom web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and a variant of  LIGHTWIRE . "CHAINLINE is a Python web shell backdoor that is embedded in a Ivanti Connect Secure Python package that enables arbitrary command execution," the company  said , attributing it to UNC5221, adding it also detected multiple new versions of  WARPWIRE , a JavaScript-based credential stealer. The infection chains entail a successful exploitation of  CVE-2023-46805 and CVE-2024-21887 , which allow an unauthenticated threat actor to execute arbitrary commands on the Ivanti appliance with elevated privileges. The flaws have been abused as zero-days since early December 2023. Germany's Federal Office for Information Security (BSI)  said

Alert: Ivanti Discloses 2 New Zero-Day Flaws, One Under Active Exploitation

Alert: Ivanti Discloses 2 New Zero-Day Flaws, One Under Active Exploitation
Jan 31, 2024 Vulnerability / Zero Day
Ivanti is alerting of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild. The list of vulnerabilities is as follows - CVE-2024-21888  (CVSS score: 8.8) - A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator CVE-2024-21893  (CVSS score: 8.2) - A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication The Utah-based software company  said  it found no evidence of customers being impacted by CVE-2024-21888 so far, but acknowledged "the exploitation of CVE-2024-21893 appears to be targeted" and that it's "aware of a limited number of cust

CISA Issues Emergency Directive to Federal Agencies on Ivanti Zero-Day Exploits

CISA Issues Emergency Directive to Federal Agencies on Ivanti Zero-Day Exploits
Jan 20, 2024 Network Security / Threat Intelligence
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued an  emergency directive  urging Federal Civilian Executive Branch (FCEB) agencies to implement mitigations against two actively exploited zero-day flaws in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products. The development arrives as the  vulnerabilities  – an authentication bypass (CVE-2023-46805) and a code injection bug (CVE-2024-21887) – have come under widespread exploitation by multiple threat actors. The flaws allow a malicious actor to craft malicious requests and execute arbitrary commands on the system. The U.S. company  acknowledged  in an advisory that it has witnessed a "sharp increase in threat actor activity" starting on January 11, 2024, after the shortcomings were publicly disclosed. "Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish per

U.S. Cybersecurity Agency Warns of Actively Exploited Ivanti EPMM Vulnerability

U.S. Cybersecurity Agency Warns of Actively Exploited Ivanti EPMM Vulnerability
Jan 19, 2024 Cyber Theat / Zero-Day
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday  added  a now-patched critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its Known Exploited Vulnerabilities ( KEV ) catalog, stating it's being actively exploited in the wild. The vulnerability in question is  CVE-2023-35082  (CVSS score: 9.8), an authentication bypass that's a patch bypass for another flaw in the same solution tracked as CVE-2023-35078 (CVSS score: 10.0), which was actively exploited in attacks targeted Norwegian government entities as a zero-day in April 2023. "If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users' personally identifiable information and make limited changes to the server," Ivanti  noted  in August 2023. All versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9 and 11.8, and MobileIron Core 11.7 and below are impacted by the vulnerability. Cyb

Chinese Hackers Exploit Zero-Day Flaws in Ivanti Connect Secure and Policy Secure

Chinese Hackers Exploit Zero-Day Flaws in Ivanti Connect Secure and Policy Secure
Jan 11, 2024 Cybersecurity / Zero-Day
A pair of zero-day flaws identified in Ivanti Connect Secure (ICS) and Policy Secure have been chained by suspected China-linked nation-state actors to breach less than 10 customers. Cybersecurity firm Volexity, which  identified  the activity on the network of one of its customers in the second week of December 2023, attributed it to a hacking group it tracks under the name  UTA0178 . There is evidence to suggest that the VPN appliance may have been compromised as early as December 3, 2023. The two vulnerabilities that have been exploited in the wild to achieve unauthenticated command execution on the ICS device are as follows - CVE-2023-46805  (CVSS score: 8.2) - An authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. CVE-2024-21887  (CVSS score: 9.1) - A command injection vulnerability in web components of Ivanti Connect Secur

Alert: Ivanti Releases Patch for Critical Vulnerability in Endpoint Manager Solution

Alert: Ivanti Releases Patch for Critical Vulnerability in Endpoint Manager Solution
Jan 05, 2024 Vulnerability / Network Security
Ivanti has released security updates to address a critical flaw impacting its Endpoint Manager (EPM) solution that, if successfully exploited, could result in remote code execution (RCE) on susceptible servers. Tracked as CVE-2023-39336, the vulnerability has been rated 9.6 out of 10 on the CVSS scoring system. The shortcoming impacts EPM 2021 and EPM 2022 prior to SU5. "If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication," Ivanti  said  in an advisory. "This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL express, this might lead to RCE on the core server." The disclosure arrived weeks after the company  resolved  nearly two dozen security flaws in its Avalanche enterprise mobile device management (MDM) solution. Of the 21 issues, 13 are rated critical (CVSS scores: 9.8

Ivanti Warns of Critical Zero-Day Flaw Being Actively Exploited in Sentry Software

Ivanti Warns of Critical Zero-Day Flaw Being Actively Exploited in Sentry Software
Aug 22, 2023 Zero-Day / Software Security
Software services provider Ivanti is  warning  of a new critical zero-day flaw impacting Ivanti Sentry (formerly MobileIron Sentry) that it said is being actively exploited in the wild, marking an escalation of its security woes. Tracked as  CVE-2023-38035  (CVSS score: 9.8), the issue has been described as a case of authentication bypass impacting versions 9.18 and prior due to what it called an due to an insufficiently restrictive Apache HTTPD configuration. "If exploited, this vulnerability enables an unauthenticated actor to access some sensitive APIs that are used to configure the Ivanti Sentry on the administrator portal (port 8443, commonly MICS)," the company  said . "While the issue has a high CVSS score, there is a low risk of exploitation for customers who do not expose port 8443 to the internet." Successful exploitation of the bug could allow an attacker to change configuration, run system commands, or write files onto the system. It's recommen

Researchers Discover Bypass for Recently Patched Critical Ivanti EPMM Vulnerability

Researchers Discover Bypass for Recently Patched Critical Ivanti EPMM Vulnerability
Aug 03, 2023 Vulnerability / Software Security
Cybersecurity researchers have discovered a bypass for a recently fixed actively exploited vulnerability in some versions of Ivanti Endpoint Manager Mobile (EPMM), prompting Ivanti to urge users to update to the latest version of the software. Tracked as  CVE-2023-35082  (CVSS score: 10.0) and discovered by Rapid7, the issue "allows unauthenticated attackers to access the API in older unsupported versions of MobileIron Core (11.2 and below)." "If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users' personally identifiable information and make limited changes to the server," Ivanti  said  in an advisory released on August 2, 2023. The software services provider further said that the shortcoming was "incidentally resolved" in MobileIron Core 11.3 as part of work on a product bug and that it had not previously been flagged as a security flaw. Rapid7 security researcher Stephen Fewer  said

Ivanti Warns of Another Endpoint Manager Mobile Vulnerability Under Active Attack

Ivanti Warns of Another Endpoint Manager Mobile Vulnerability Under Active Attack
Jul 29, 2023 Vulnerability / Enterprise Security
Ivanti has disclosed yet another security flaw impacting Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, that it said has been weaponized as part of an exploit chain by malicious actors in the wild. The new vulnerability, tracked as  CVE-2023-35081  (CVSS score: 7.8), impacts supported versions 11.10, 11.9, and 11.8, as well as those that are currently end-of-life (EoL). "CVE-2023-35081 enables an authenticated administrator to perform arbitrary file writes to the EPMM server," the company  said  in an advisory. "This vulnerability can be used in conjunction with  CVE-2023-35078 , bypassing administrator authentication and ACLs restrictions (if applicable)." A successful exploit could allow a threat actor to write arbitrary files on the appliance, thereby enabling the malicious party to execute OS commands on the appliance as the tomcat user. "As of now we are only aware of the same limited number of customers impacted by CVE-2023-35078

Ivanti Releases Urgent Patch for EPMM Zero-Day Vulnerability Under Active Exploitation

Ivanti Releases Urgent Patch for EPMM Zero-Day Vulnerability Under Active Exploitation
Jul 25, 2023 Enterprise Security / Zero Day
Ivanti is warning users to update their Endpoint Manager Mobile (EPMM) mobile device management software (formerly MobileIron Core) to the latest version that fixes an actively exploited zero-day vulnerability. Dubbed  CVE-2023-35078 , the issue has been described as a remote unauthenticated API access vulnerability that impacts currently supported version 11.4 releases 11.10, 11.9, and 11.8 as well as older releases. It has the maximum severity rating of 10 on the CVSS scale. "An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication," the company  said  in a terse advisory. "If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users' personally identifiable information and make limited changes to the server." The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said an
Expert Insights
Cybersecurity Resources