Five Eyes Agencies Warns about Continuing Exploitation of Ivanti Connect Secure and Policy Secure Vulnerabilities
The Five Eyes Cybersecurity Agencies have released an alert that multiple threat actors have actively exploited earlier disclosed vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways since early December 2023.
The vulnerabilities, CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 affect all supported versions (9.x and 22.x) and could be chained to circumvent authentication, make malicious requests, and carry out arbitrary commands with higher privileges. Based on the notification, Ivanti’s internal and prior external Integrity Checker Tool (ICT) did not identify malicious activity connected with exploitation. CISA showed in a test environment that the ICT is not adequate to recognize compromise and that it is likely to acquire root-level persistence despite issuing factory resets.
Alphabet’s Mandiant has been examining the exploitation of the zero-day vulnerabilities and stated the exploitation had probably impacted many devices across several industry verticals. A number of those attacks were related to a supposed Chinese cyber espionage group tracked as UNC5325. The threat actor utilized living-of-the-land tactics and novel malware to gain persistence. Mandiant said the patches introduced by Ivanti are useful at stopping exploitation, as long as UNC5325 did not exploit the vulnerability before applying the patches. Mandiant mentioned UNC5325 has retained access even after clients have started factory resets, patching, and using the proposed security improvements.
The Five Eyes agencies suggest that network defenders believe that user and service account data saved in affected Ivanti VPN appliances are possibly compromised and ought to hunt for malicious activity utilizing the detection mechanisms and IoCs information in its advisory, and should also run the newest version of Ivanti’s external ICT. In case the vulnerabilities are not yet patched, system defenders need to make sure they are used immediately and must stick to the suggestions mentioned in the most recent Ivanti security alert. Mandiant likewise suggests following the instructions given in its updated Ivanti Connect Secure Hardening Guide.
High Severity Vulnerabilities Discovered in MicroDicom DICOM Viewer
Two high-severity vulnerabilities were found in the free MicroDicom DICOM Viewer, which is employed to see and edit DICOM images. Successful vulnerability exploitation may result in remote code execution and memory destruction.
The first vulnerability CVE-2024-22100 is a heap-based buffer overflow vulnerability that may be exploited in a low-complexity attack by fooling a user into clicking a malicious DCM file, which would enable a remote attacker to execute arbitrary code on vulnerable DICOM Viewer models.
The second vulnerability CVE-2024-25578 is an out-of-bounds write issue caused by insufficient proper validation of user-supplied information. Successful exploitation of the vulnerability could cause memory corruption in the software.
The vulnerabilities impact MicroDicom DICOM Viewer versions 2023.3 (Build 9342) and earlier models and were repaired in version 2024.1. End users have been told to update to the most recent version immediately. There are presently no signs that the vulnerabilities have been taken advantage of in cyber attacks.
CISA, FBI Share Most Recent Threat Intelligence Regarding Phobos Ransomware
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have given the newest threat intelligence regarding Phobos ransomware, which is utilized to attack municipal and county governments, education, public healthcare, emergency services, and other critical infrastructure organizations. Phobos ransomware is connected to several ransomware variants, such as Eight, Elking, Devos, Backmydata, and Faust ransomware. The Backmydata variant was employed in a February 2024 attack in Romania which led to taking systems offline at about 100 healthcare centers.
Phobos ransomware is a ransomware-as-a-service (RaaS) group actively working since May 2019. The group frequently gets access to victims’ networks via phishing campaigns that send malware via spoofed attachments with hidden payloads, such as the Smokeloader backdoor trojan. Affiliates utilize IP scanning tools like Angry IP Scanner to determine vulnerable Remote Desktop Protocol (RDP) ports that are exposed to brute force attacks. Affiliates have been found leveraging RDP to attack Microsoft Windows devices. Attacks frequently entail Bloodhound, Cobalt Strike, Sharphound, NirSoft, and Remote Desktop Passview to send browser client credentials, and Mimikatz to get credentials.
Phobos practices double extortion strategies, exfiltrating sensitive data besides file encryption and victims must pay for the decryption keys and to stop the publishing of their stolen information on the group’s data leak site. Volume shadow copies are removed from Windows environments to stop attempts to recover without giving a ransom. The ransom demands usually amount to several million dollars.
The Health Sector Cybersecurity Coordination Center issued an advisory concerning Phobos ransomware last July 2021 after several attacks on companies in the healthcare and public health sector that must be HIPAA compliant. The newest notification gives current tactics, techniques, and procedures utilized by the group in cyberattacks up to February 2024, together with the recent Indicators of Compromise (IoCs), MITRE ATT&CK strategies, and suggested mitigations.