Keypoints
- Attackers exploited two chained zero-days in Ivanti Connect Secure (CVE-2024-21887 and CVE-2023-46805) to gain access to VPN appliances.
- Volexity discovered over 1,700 ICS VPN appliances compromised with a variant of the GIFTEDVISITOR webshell after scanning ~30,000 IPs.
- Compromises used webshell backdoors with per-victim AES keys (earlier sample used ‘1234567812345678’; later variants used truncated UUID strings).
- Evidence shows the original threat actor UTA0178 and additional actors (including UTA0188) are exploiting the vulnerability and performing mass scanning.
- Ivanti released a mitigation and Integrity Checker tools; mitigation prevents exploitation but does not remove existing backdoors.
- Recommended actions: apply Ivanti mitigation, run the Integrity Checker, and follow incident response steps if mismatched files are detected.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Attackers leveraged two zero-day vulnerabilities in Ivanti Connect Secure to gain initial access (‘exploiting two zero-day vulnerabilities (CVE-2024-21887 and CVE-2023-46805) in Ivanti Connect Secure (ICS) VPN appliances.’)
- [T1595] Active Scanning – Actors scanned large address ranges to locate vulnerable ICS VPN devices (‘Volexity then scanned roughly 30,000 ICS IP addresses.’)
- [T1505.003] Web Shell – Compromised appliances were backdoored with the GIFTEDVISITOR webshell variant to maintain access (‘backdoored with a slightly different variant of the GIFTEDVISITOR webshell’).
- [T1071.001] Application Layer Protocol: Web Protocols – The attackers invoked specific file paths and HTTP requests to interact with the appliance/webshell (‘Volexity observed various file paths … being requested via logs from its customer ICS VPN appliances.’)
- [T1027] Obfuscated Files or Information – Webshells used encrypted configuration/keys (unique AES keys per victim, replacing earlier static key) to conceal payloads (‘they replaced the AES key used with a truncated UUID string’ and earlier ‘1234567812345678’).
Indicators of Compromise
- [Vulnerability] exploited – CVE-2024-21887, CVE-2023-46805 (chain used to gain access to Ivanti Connect Secure appliances)
- [File name / webshell] backdoor – GIFTEDVISITOR webshell, visits.py (webshell variant used to persist on ICS VPN appliances)
- [Encryption key / config] webshell key examples – ‘1234567812345678’ (earlier sample), and per-victim truncated UUID strings used as AES keys
- [Scanning targets] infected hosts summary – ~30,000 ICS IPs scanned, >1,700 compromised appliances identified (specific IPs not published in the article)
Volexity’s technical findings show a straightforward exploitation chain: threat actors used two zero-day flaws in Ivanti Connect Secure to execute code on public-facing VPN appliances, then uploaded a GIFTEDVISITOR webshell to maintain access. The webshell variants observed included different AES keys per victim—the initial sample used the static key ‘1234567812345678’, while subsequent widespread compromises used truncated UUID-derived keys—indicating per-host customization of encryption and configuration.
Detection was achieved by scanning for webshell artifacts and by using Ivanti’s Integrity Checker; Volexity scanned roughly 30,000 ICS IP addresses and identified over 1,700 appliances with the webshell. Logs from appliances (especially those with Ivanti’s mitigation enabled) revealed requests for non-public file paths and URI patterns consistent with exploitation attempts, and analysis showed multiple IPs attempting the exploit pattern, suggesting the exploit code has proliferated beyond the initial actor.
Technical remediation and response: apply Ivanti’s published mitigation immediately to block further exploitation (note this does not remove existing backdoors), run the built-in or external Ivanti Integrity Checker to detect mismatched or newly added files, and if the Integrity Checker reports hits, follow forensic and containment steps—remove the webshell, rotate keys and credentials, and perform a full incident response as detailed in Volexity’s guidance.
Read more: https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/