The cybersecurity landscape is ablaze with concern as over 40,000 attacks unfold in a mere three days, targeting a critical vulnerability known as Confluence RCE. The urgency of the situation prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue a pressing directive on Friday, calling on Federal Civilian Executive Branch (FCEB) agencies to swiftly implement countermeasures against two zero-day vulnerabilities plaguing Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products.
The Vulnerabilities Unveiled: A Call to Action
As the cybersecurity community grapples with this crisis, two primary vulnerabilities take center stage – an authentication bypass (CVE-2023-46805) and a code injection flaw (CVE-2024-21887). Threat actors are actively exploiting these weaknesses, enabling them to fashion malicious requests and execute arbitrary commands, ultimately compromising the affected systems.
Unveiling the Exploitation
The situation intensifies as multiple threat actors leverage these vulnerabilities, prompting Ivanti to publicly acknowledge a significant surge in threat actor activity since January 11, 2024, when the vulnerabilities were first disclosed. The implications are grave, with successful exploitation granting threat actors the ability to move laterally, perform data exfiltration, and establish persistent system access, leading to the complete compromise of targeted information systems.
Immediate Actions: Mitigation and Remediation
Acknowledging the gravity of the situation, Ivanti plans to release an update to address these vulnerabilities in the coming week. In the interim, they offer a temporary workaround in the form of an XML file. This file can be imported into affected products to enact crucial configuration changes.
CISA echoes the urgency, urging organizations running ICS to apply the provided mitigation promptly. Additionally, running an External Integrity Checker Tool is recommended to identify signs of compromise. If compromise is detected, CISA advises disconnecting affected systems from networks, resetting devices, and importing the provided XML file.
For Federal Civilian Executive Branch entities, CISA recommends revoking and reissuing stored certificates, resetting admin enable passwords, securing API keys, and resetting passwords for any locally defined users on the gateway.
Exploitation in the Wild
Leading cybersecurity firms, Volexity and Mandiant, have observed threat actors exploiting these vulnerabilities to deploy web shells and passive backdoors. The impact is substantial, with an estimated 2,100 compromised devices worldwide. The initial attack wave, dating back to December 2023, has been attributed to a Chinese nation-state group tracked as UTA0178.
Threat intelligence firm GreyNoise reports opportunistic exploitation for financial gain, with attackers leveraging the vulnerabilities to deploy persistent backdoors and XMRig cryptocurrency miners.
Unraveling the Scope: New Revelations
In a recent analysis, Censys unveils a concerning revelation. As of January 22, 2024, 26,095 unique Connect Secure hosts are exposed on the public internet. Shockingly, 412 of these hosts are already compromised with a backdoor. The majority of infections have been observed in the U.S., Germany, South Korea, China, Japan, Hong Kong, the U.K., Canada, Italy, and the Netherlands.
In conclusion, the unfolding threat of the Confluence RCE demands immediate action. By understanding the vulnerabilities, implementing mitigation measures, and staying vigilant, organizations can fortify their defenses against this pervasive cybersecurity menace.