Five Eyes Agencies Notifies of Persistent Exploitation of Ivanti Connect Secure and Policy Secure Vulnerabilities
The Five Eyes Cybersecurity Agencies have given a notification that multiple threat actors are actively taking advantage of formerly exposed vulnerabilities in Ivanti Policy Secure And Ivanti Connect Secure gateways as of the beginning of December 2023.
The vulnerabilities CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 impact all supported versions (9.x and 22.x) and may be chained to get around authentication, create malicious requests, and implement arbitrary commands with increased privileges. As per the notification, Ivanti’s internal and earlier external Integrity Checker Tool (ICT) was unable to identify malicious activity related to exploitation. CISA exhibited in a test setting that the ICT is not enough to recognize breach and that it is probable to get root-level persistence regardless of providing factory resets.
Alphabet’s Mandiant has been looking into the exploitation of the zero-day vulnerabilities and stated the exploitation had probably affected numerous devices in various industry verticals. A few of those attacks were associated with an alleged Chinese cyber espionage group monitored as UNC5325. The threat actor employed living-of-the-land strategies and new malware to attain persistence. Mandiant stated the patches launched by Ivanti help protect against exploitation, so long as UNC5325 didn’t exploit the vulnerability before implementing the patches. Mandiant mentioned UNC5325 has kept access even after users have begun factory resets, patching, and implementing the advised security changes.
The Five Eyes agencies propose that network defenders think that user and service account data kept in impacted Ivanti VPN appliances are possibly breached and must hunt for malicious activity making use of the detection systems and IoCs specifics in its advisory, and must likewise run the most recent version of Ivanti’s external ICT. When the vulnerabilities are not yet patched, system defenders need to make certain they are utilized without delay and must adhere to the instructions explained in the most recent Ivanti security notification. Mandiant additionally advises following the suggestions offered in its modified Ivanti Connect Secure Hardening Guide.
High Severity Vulnerabilities Found in MicroDicom DICOM Viewer
Two high-severity vulnerabilities were discovered in the publicly available MicroDicom DICOM Viewer, which is utilized to check and adjust DICOM images. Successful vulnerability exploitation can cause remote code execution and memory damage.
The first vulnerability CVE-2024-22100 is a heap-dependent buffer overflow vulnerability that could be exploited in a low-complexity attack by deceiving a user into viewing a malicious DCM file, which will make it possible for a remote attacker to implement arbitrary code on vulnerable DICOM Viewer models.
The second vulnerability CVE-2024-25578 is an out-of-bounds write issue resulting from deficiencies in proper approval of user-supplied information. Successful exploitation of the vulnerability can bring about memory damage inside the program.
The vulnerabilities affect MicroDicom DICOM Viewer versions 2023.3 (Build 9342) and previous models and were resolved in version 2024.1. Clients have been instructed to update to the newest model right away. There are already no hints that the vulnerabilities were taken advantage of in cyber attacks.
CISA, FBI Disclose New Threat Intelligence Concerning Phobos Ransomware
The Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Cybersecurity and Infrastructure Security Agency (CISA) have provided the most recent threat intelligence regarding Phobos ransomware, which is employed to attack city and county governing bodies, public healthcare, education, emergency services, as well as other critical infrastructure agencies. Phobos ransomware is linked to several ransomware variants, which include Eight, Elking, Backmydata Devos, and Faust ransomware. The Backmydata variant was utilized in a February 2024 attack in Romania which caused taking systems off the internet at close to 100 healthcare establishments.
Phobos ransomware is a ransomware-as-a-service (RaaS) group that has been actively in operation beginning May 2019. The group typically acquires access to victims’ systems using phishing campaigns that distribute malware through spoofed attachments having hidden payloads, like the Smokeloader backdoor trojan. Affiliates employ IP scanning tools for example Angry IP Scanner to distinguish vulnerable Remote Desktop Protocol (RDP) ports that are open to brute force attacks. Affiliates have been seen utilizing RDP to target Microsoft Windows devices. Attacks frequently require Bloodhound, Sharphound, and Cobalt Strike; Remote Desktop Passview, and Nirsoft to transmit browser client credentials; and Mimikatz to acquire credentials.
Phobos participates in double extortion techniques, extracting sensitive data aside from file encryption and victims need to pay for the keys to decrypt the information and to avert the posting of their stolen information on the group’s data leak website. Volume shadow copies are erased from Windows environments to prohibit efforts to recover without ransom payment. The ransom demands usually reach a few million dollars.
The Health Sector Cybersecurity Coordination Center released an advisory concerning Phobos ransomware last July 2021 following attacks on organizations in the healthcare and public health industry. The newest notification conveys up-to-date tactics, techniques, and procedures employed by the group in attacks until February 2024, coupled with the current Indicators of Compromise (IoCs), MITRE ATT&CK tactics, and proposed mitigations to help with HIPAA compliance.