Chinese hackers have strategically exploited zero-day vulnerabilities within Ivanti’s Connect Secure (ICS) and Policy Secure, utilizing a sophisticated attack chain to compromise a select few targets.

The cyber trail, initially discovered by Volexity in December 2023, indicates the involvement of a hacking group called UTA0178, allegedly associated with the Chinese nation-state. Early indications suggest that the compromise of the Ivanti VPN appliance may have occurred as early as December 3, 2023.

This malicious campaign made use of two zero-day vulnerabilities:

  • CVE-2023-46805 (CVSS score: 8.2): An authentication bypass flaw in Ivanti Connect Secure and Policy Secure’s web component, granting remote attackers the ability to bypass control checks and access restricted resources.
  • CVE-2024-21887 (CVSS score: 9.1): A command injection vulnerability that allows authenticated administrators to create specialized requests, executing arbitrary commands on the targeted appliance.

The threat actors skillfully orchestrated these vulnerabilities, creating an exploitative chain capable of achieving unauthenticated command execution on Ivanti’s Connect Secure. By leveraging CVE-2024-21887 and CVE-2023-46805 in tandem, the need for authentication was eliminated, enabling threat actors to craft malicious requests and execute arbitrary commands seamlessly.

Volexity’s analysis of the incident uncovered a multifaceted attack. The cyber adversaries, leveraging the dual vulnerabilities, engaged in various activities such as stealing configuration data, modifying existing files, downloading remote files, and establishing reverse tunnels from the compromised ICS VPN appliance. The attackers demonstrated their expertise by manipulating a legitimate CGI file (compcheck.cgi) and modifying a JavaScript file on the Web SSL VPN login page to log keystrokes and extract user credentials.

Ivanti responded promptly to the threat by outlining a phased patch release schedule starting the week of January 22, 2024. As a temporary precaution, users have been advised to implement the recommended security measures.