Response to CISA Advisory (AA24-060B): Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways

In response to the recently published CISA Advisory (AA24-060B) that disseminates observed threat actor activities, Indicators of Compromise (IOCs), and mitigations associated with ongoing incident response activities in connection with the recent Ivanti Connect Secure and Ivanti Policy Secure Gateway vulnerabilities CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893, AttackIQ recommends that customers take the following testing actions in alignment with this recently observed activity. Read More

On February 29, 2024, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released a Cybersecurity Advisory (CSA) providing observed threat actor activities, Indicators of Compromise (IOCs) and mitigations associated with ongoing incident response activities in connection with the recent Ivanti Connect Secure and Ivanti Policy Secure Gateway vulnerabilities.

This recent alert was part of a collaboration effort between CISA, the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing & Analysis Center (MS-ISAC), the Australian Signals Directorate’s Australian Cyber Security Centre (ADS’s ACSC), the United Kingdom National Cyber Security Centre (NCSC-UK), the Canadian Centre for Cyber Security (Cyber Centre), the New Zealand National Cyber Security Centre (NCSC-NZ), and CERT-New Zealand (CERT NZ). The CSA is based on cyber threat actors that have been actively exploiting the previously identified Ivanti vulnerabilities: CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893.

Due to the urgency and high-profile nature of these vulnerabilities that were discovered recently, AttackIQ previously and pre-emptively released an assessment template in response to activities carried out by UNC5221 (also known as UTA0178), who were reported to have been actively exploiting the Ivanti vulnerabilities.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by  , it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends reviewing CISA’s recommendations and focusing on the techniques emulated in our previously released assessment template.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a considerable number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations to adapt them to your environment first to determine if you have any existing impact before reviewing the assessment results.

Wrap-up

In summary, the recommended steps as described in this post are a good starting point for evaluating the effectiveness of your security personnel, processes and controls against these and similar threats. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a widely distributed and dangerous threat.

AttackIQ stands at the ready to help security teams implement this assessment template and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.