Ivanti VPN malware can survive a factory reset, warns CISA

The Chinese threat actor UNC5325 is reported by security vendor Mandiant to be actively exploiting the vulnerabilities.

John Leonard
clock • 2 min read
Ivanti VPN malware can survive a factory reset, warns CISA

The U.S. Cybersecurity and Infrastructure Agency (CISA) has warned that attackers exploiting vulnerabilities in Ivanti VPN appliances can maintain a presence on infected devices, even after a factory reset. 

Attackers can also evade detection by Ivanti's Integrity Checker Tool.

The agency is urging users of Ivanti Connect Secure and Ivanti Policy Secure VPN appliances to take urgent measures to mitigate the threat, and to consider replacing them altogether.

The vulnerabilities (tracked as CVE-2023-46805, CVE-2024-21887, CVE-2024-22024, CVE-2024-21893) allow authentication bypass, command injection, server-side request forgery and arbitrary command execution.

They have already been exploited on several occasions since being publicly disclosed in January 2024. Another vulnerability (CVE-2021-22893) was previously used in 2021 to breach dozens of organizations in the U.S. and Europe.

The Chinese threat actor UNC5325 is reported by security vendor Mandiant to be actively exploiting the vulnerabilities to deploy malware that can survive factory resets and patches. Another Chinese group UNC3886 may also be exploiting the flaws.

CISA's research found that Ivanti's Integrity Checker Tool was not always effective in detecting compromise. Ivanti has since released an updated version of the scanning tool.

In an advisory the agency said that organizations using the affected VPN appliances should immediately:

  1. Limit outbound internet connections from SSL VPN appliances to restrict access to required services.
  2. Keep all operating systems and firmware up to date.
  3. Limit SSL VPN connections to unprivileged accounts.

Security teams should "assume a sophisticated threat actor may deploy rootkit level persistence on a device that has been reset and lay dormant for an arbitrary amount of time," the advisory, published February 29, said.

It added that organizations should "consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment."

We have contacted Ivanti for comment.

This article originally appeared on our sister site Computing. 

 

 

Related Topics

You may also like
Access Point: Weekly News Roundup For IT Executives – May 17, 2024

Column

Access Point: Weekly News Roundup For IT Executives – May 17, 2024

Access Point is a weekly roundup of major tech news for IT executives on the go. This edition covers May 13-May 17.

clock 05-17-2024 • 2 min read
Microsoft May Patch Tuesday Fixes Two Actively Exploited Zero Days

Software

Microsoft May Patch Tuesday Fixes Two Actively Exploited Zero Days

An expert called one of the vulnerabilities a "vital security threat"

clock 05-15-2024 • 3 min read
4 Announcements From Google I/O 2024 That Midmarket IT Leaders Should Know

Software

4 Announcements From Google I/O 2024 That Midmarket IT Leaders Should Know

Yes, much of the keynote was focused on AI -- but with some cool features

clock 05-14-2024 • 2 min read
John Leonard
Author spotlight

John Leonard

View profile
More from John Leonard

Microsoft May Patch Tuesday Fixes Two Actively Exploited Zero Days

Apple Revenues Fall - But Not As Much As Expected

More on Security

Countries With The Highest Cyber Threat Risk And Ones With The Lowest: Report
Security

Countries With The Highest Cyber Threat Risk And Ones With The Lowest: Report

Samara Lynn
Samara Lynn
clock 05-16-2024 • 4 min read
CISOs Call To Ditch The 'Stigma Of Blame' In Cybersecurity
Security

CISOs Call To Ditch The 'Stigma Of Blame' In Cybersecurity

Ditching ‘Humans are the weakest link’

Tom Allen
Tom Allen
clock 05-13-2024 • 2 min read
LockBit Leader Unmasked
Security

LockBit Leader Unmasked

Named as Russian national Dmitry Khoroshev

Dev Kundaliya
clock 05-08-2024 • 3 min read