Skip to content Skip to footer

Five Eyes Issues Cybersecurity Advisory on Ivanti Security Flaws and Malware Threats

The Five Eyes (FVEY) intelligence alliance, which is a group of intelligence agencies from Australia, Canada, New Zealand, the UK, and the US, recently issued a cybersecurity advisory to warn about cyber threat actors taking advantage of known security in Connect Secure and Policy Secure gateways. The advisory highlights that these products' Integrity Checker Tool (ICT) can be tricked into providing a false sense of security, leaving organizations vulnerable to .

According to the advisory, the ICT is not sufficient to identify a compromise, and a cyber threat actor may be able to gain root-level persistence despite issuing factory resets. has disclosed five security affecting its products since January 10, 2024. Multiple threat actors have actively exploited four of these to deploy . The include:

  • An authentication bypass vulnerability in the web component (CVE-2023-46805).
  • A command injection vulnerability in the web component (CVE-2024-21887).
  • A privilege escalation vulnerability in the web component (CVE-2024-21888).
  • An SSRF vulnerability in the SAML component (CVE-2024-21893).
  • An XXE vulnerability in the SAML component (CVE-2024-22024).

In a recent analysis, Mandiant described how an encrypted version of known as BUSHWALK is placed in a directory excluded by ICT in /data/runtime/cockpit/risk analysis. Eclypsium had previously highlighted the directory exclusions, stating that the tool skips a dozen directories from being scanned. This allows an attacker to leave behind backdoors in one of these paths and still pass the integrity check.

The agencies urge organizations to consider the significant risk of adversary access to and persistence on Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment. They also recommend that network defenders assume a sophisticated threat actor may deploy rootkit-level persistence on a device that has been reset and lay dormant for an arbitrary amount of time.

In response to the advisory, Ivanti has stated that it is unaware of any successful threat actor persistence following the implementation of security updates and factory resets. The company is also releasing a new version of ICT that provides additional visibility into a customer's appliance and all files on the system.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

Kid, don't threaten me. There are worse things than death, and uh, I can do all of them.The Plague

Deitasoft © 2024. All Rights Reserved.