Ivanti Connect Secure VPN Exploitation – Correctly Interpreting DNS IoCs

On January 10, 2024, Ivanti disclosed
that their Connect Secure VPN devices were breached through two zero-day vulnerabilities.
Organizations using these devices are rapidly working to patch and safeguard their networks from
potential compromise. The situation highlights the complexities of effectively using Indicators of
Compromise (IoCs) amid dynamic incident responses, illustrating the challenges for defenders
when evaluating whether to block domains linked to these exploits.
Affected: Ivanti devices, VPN users, cybersecurity sector

Keypoints :

Ivanti’s Connect Secure VPN devices were compromised through two zero-day vulnerabilities.
Organizations are swiftly patching their systems due to the widespread use of Ivanti devices.
Multiple Indicators of Compromise (IoCs) were identified in reports from Mandiant and Cybereason.
Blocking domains from an IoC list without careful analysis can lead to significant issues.
Not all IoCs should be treated equally; legitimate domains may cause problems if blocked.
False positives can arise from hasty incident response analysis.
Examining the legitimacy of IoCs is critical to reduce incidents of blocking valid sites.
Infoblox emphasizes the importance of understanding DNS when approaching domain blocking.

MITRE Techniques :

TA0001 – Initial Access: Exploitation of vulnerabilities in Connect Secure VPN to gain unauthorized access.
TA0002 – Execution: Use of compromised VPN devices for potentially malicious activities.
TA0040 – Impact: Disruption of services to organizations utilizing Ivanti’s VPN.

Indicator of Compromise :

[Domain] api.d-n-s[.]name
[Domain] ehangmun[.]com
[Domain] entraide-internationale[.]fr
[Domain] miltonhouse[.]nl
[Domain] cpanel.netbar[.]org

Full Story: https://blogs.infoblox.com/threat-intelligence/ivanti-connect-secure-vpn-exploitation-correctly-interpreting-dns-iocs/

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print