Joint Cyber Security Advisory warns threat actors exploit multiple vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways

The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. (Cyber Centre) joined the Cybersecurity and Infrastructure Security Agency (CISA) and the following international partners in releasing a cyber security advisory highlighting multiple vulnerabilities within Ivanti Connect Secure and Ivanti Policy Secure gateways:

• Federal Bureau of Investigation (FBI)
• Multi-State Information Sharing and Analysis Center (MS-ISAC)
• Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC)
• New Zealand’s National Cyber Security Centre (NCSC-NZ)
• Computer Emergency Response Team New Zealand (CERT-NZ)
• United Kingdom’s National Cyber Security Centre (NCSC-UK)

The vulnerabilities noted in this joint cyber security advisory impact all supported versions (9.x and 22.x). These vulnerabilities can be used in a chain of exploits to enable threat actors to bypass authentication AuthenticationA process or measure used to verify a users identity. , craft malicious requests, and execute arbitrary commands with elevated privileges. These initial exploits can be leveraged to inflict further damage, including but not limited to data exfiltration ExfiltrationThe unauthorized removal of data or files from a system by an intruder. and credential theft.

This joint advisory provides observed tactics, techniques, and procedures (TTPs) along with indicators of compromise CompromiseThe intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability. (IOCs). Organizations should consider the risks of threat actor access to and persistence on these Ivanti gateways when determining whether to continue operating these devices in an enterprise environment. Credentials and sensitive data stored within the affected Ivanti VPN VPNSee virtual private network. appliances should be considered compromised.

Network defenders are encouraged to hunt for malicious activity on their networks using the detection DetectionThe monitoring and analyzing of system events in order to identify unauthorized attempts to access system resources. methods and IOCs within the joint advisory.

The Cyber Centre encourages organizations to implement the recommendations in this advisory.

Canadian organizations that discover a potential compromise are encouraged to report it via the My Cyber Portal, or email contact@cyber.gc.ca

Read the joint cyber security advisory:

Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways

Additional references

• Network security logging and monitoring - ITSAP.80.085
• Network security auditing - ITSAP.80.086
• How updates secure your device - ITSAP.10.096
• Top 10 IT security action items: No.2 patch operating systems and applications - ITSM.10.096