If Vulnerabilities Can Take Down Even the Most Prepared, What Can You Do?

A major zero-day vulnerability chain that affected Ivanti Connесt Secure and Ivanti Policy Secure Gateways (CVE 2023 46805 and CVE 2024 21887) was discovered in January 2024. These vulnerabilities made it possible for attackers to get around authentication. Execute arbitrary commands on the system, which is a recipe for system failure. Even though they are both considered zero-days, their combination is what makes them so important.

Notwithstanding the news reports and alerts regarding these vulnerabilities. As well as multiple notifications from the Cybersecurity and Infrastructure Security Agency (CISA). It was evident that there had been a major impact, including with multiple U.S. federal agencies, including CISA itself.

Strong security postures weren’t immune, as shown by a recent news article from MITRE and a non-profit research. And development organization that mostly supports the federal government of the United States and is well-known in the security community for its frameworks, which include ATT&CK and STIX/TAXII. The Ivanti vulnerabilities were leveraged by malevolent hackers to breach MITRE’s defences and obtain first access to the company network.

We will summarize the Ivanti VPN vulnerabilities in this blog post. Along with their implications and the steps you should take to strengthen your defences right now.

Also Read: Best Practices for Safe Links Policies

A Recap of the Ivanti Connect Sеcurе Vulnerabilities

Research on two Ivanti vulnerabilities was published by Volexity in early January 2024. With a note that the vulnerabilities were being actively exploited. The vulnerabilities operated as a team:

CVE 2023 46805: Bypassing Authentication This vulnerability allowed attackers to circumvent authentication altogether. By taking advantage of weaknesses in access control.

Command Injection, CVE 2024 21887: An unauthorized entry was made possible. And attackers might take advantage of this weakness to compromise the system and execute malevolent commands.

The important point to note is that by chaining several vulnerabilities. Remote code execution (RCE) can be achieved without the need for legitimate credentials. This effectively opens the door for hackers to break into your network, and use malicious software to steal and distribute data. Or interfere with essential operations.

How It Worked: MITRE’s Ivanti Breach

As stated in MITRE’s security breach report, “a threat actor conducted network reconnaissance and exploited one of our virtual private networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities and an escaped our multi-factor authentication using session hijacking.” Once inside, they moved later and used a compromised administrator account to access the virtual machine infrastructure of the company.

According to MITRE, they have replaced and upgraded the Ivanti applications, as well as best practices and government requirements. However, by the time they completed this, the attackers had already entered the VMware infrastructure and were not discovered until April, four months after the Ivanti vulnerabilities were first made public.

MITRE disclosed important information about the incident, stating that doing so can “assist in informing others about similar threats.” These details included MITRE ATT&CK strategies, methods, and procedures that allowed the attackers to first obtain access, then establish persistence, evade detection, and extract data.

Also Read: How To Take Screenshots on Windows and Mac

Securing Your Network: Patching and Detection and Remediation and Segmentation

Even the most well-prepared and resourced enterprises can fall victim to cyberattacks. Which can be disheartening, but there are numerous steps you can take to safeguard your company.

MITRE highlighted several essential security hardening practices that all enterprises should adhere to. We have included some of these below that we believe are fundamental.

Integrated Patch Management: Make sure patching is a top priority, especially if your company uses Ivanti Connection Secure. Also known as Policy Secure Gateways (make use of the most recent updates from Ivanti, which have been accessible since February 14th, 2024).

Using strong multi-factor authentication and rigorous policies to prevent session hijacking are important aspects of multi-factor authentication.

Normal susceptibility Administration and Revision: Conduct thorough and frequent vulnerability scans of your environment to identify vulnerabilities and respond promptly to the results. It’s no longer sufficient to merely identify the danger of vulnerabilities throughout your environment. As MITRE’s incident shows how rapidly attackers can take advantage of weaknesses to obtain access to an enterprise.

Section: Segmenting a network can greatly reduce the damage caused by a breach. By segmenting your network, attackers that manage to access a single segment will find it more difficult to go laterally and compromise your infrastructure.

Layered Security: Using a layered security strategy is essential. While patching is important, you shouldn’t rely only on it. Use intrusion detection and prevention systems (IDS/IPS) to keep an eye out for any unusual behaviour. And think about endpoint detection and response (EDR) solutions for extra security.

This incident serves as a sobering reminder that cyberattacks can still target well-resourced enterprises with sophisticated security measures. Furthermore, it emphasizes how crucial it is to maintain vigilance and apply patches as soon as possible.

Also Read: What is BSSID?

Conclusion

The growing number of malevolent hackers seeking to exploit security flaws in VPN software. And MITRE’s security incident ought to serve as a wake-up call for businesses that need to safeguard their customer data and business operations. You can greatly lower the risk of a similar attack by putting the suggested security controls into place to harden your network like buying rmm tools. Acting swiftly to identify any critical vulnerabilities in your environment when they are made public, and continuously monitoring your network for potential anomalies.