Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways

Cybercriminals are actively exploiting vulnerabilities in Ivanti Connect Secure and Policy Secure gateways, which can allow them to execute arbitrary commands with elevated privileges. These vulnerabilities impact all supported versions and are being used in a chain of exploits to bypass authentication and craft malicious requests. Despite Ivanti's Integrity Checker Tool (ICT), CISA has determined that it is insufficient to detect compromise, as cybercriminals have been able to deceive it and maintain root-level persistence even after factory resets. Network defenders should assume compromised user and service account credentials, hunt for malicious activity, run the latest ICT, and apply patches as they become available. In the event of compromise, organizations should quarantine affected hosts, reimage them, reset credentials, identify and remove malicious administrator accounts, and collect and analyze artifacts. CISA recommends that organizations consider the significant risk of adversary access and persistence on Ivanti gateways and evaluate whether to continue operating them. The Federal Emergency Directive (ED) 24-01 requires Federal Civilian Executive Branch (FCEB) agencies to take specific actions on affected products. The Canadian Centre for Cyber Security has issued an alert with periodic updates for affected IT professionals. Indicators of Compromise (IOCs) and YARA rules are provided to aid in detecting malicious activity. Network defenders should map malicious cyber activity to the MITRE ATT&CK framework for improved detection and response.