Author: Caitlin Condon

Executive summary

Fortinet firewalls hit with new zero-day attack, older data leak

Rapid7 is investigating two separate events affecting Fortinet firewall customers:

  • Zero-day exploitation of CVE-2024-55591, an authentication bypass vulnerability in FortiOS and FortiProxy disclosed earlier this week. Successful exploitation could allow remote attackers to gain super-admin privileges via crafted requests to the Node.js websocket module.
  • A January 15, 2025 dark web post from a threat actor who looks to have published IPs, passwords, and configuration data from 15,000 FortiGate firewalls. The data leaked online appears to be several years old (2022). Rapid7 has not attributed any CVEs to the leaked data at this time.

FortiGate data leak

On Wednesday, January 15, 2025, a threat actor named “Belsen Group” published a trove of Fortinet FortiGate firewall data on the dark web, allegedly from 15,000 organizations. The data released included IP addresses, passwords, and firewall configuration information — a potentially significant risk for organizations whose data was leaked.

Security researcher Kevin Beaumont has an initial analysis of the leaked data, along with his assessment that the data leaked this week appears to be from 2022. After conducting our own outreach to potentially affected organizations, Rapid7 has also confirmed that at least some of the leaked data originated from 2022 incidents where customer firewalls were compromised. Based on Beaumont’s analysis and observations from our own investigations, it’s likely that the data dump published by the threat actor contains primarily or entirely older data.

Rapid7 has not attributed the data leak to a specific CVE at this time. Beaumont said his observations from incident responses indicate that CVE-2022-40684 (a Fortinet firewall zero-day flaw from 2022) may have been the initial access vector that allowed for the large-scale firewall data leak.

New Fortinet zero-day CVE also exploited in the wild

Separately, on Tuesday, January 14, 2025, Fortinet disclosed CVE-2024-55591, a new zero-day vulnerability affecting FortiOS and FortiProxy. Security firm Arctic Wolf had previously published a blog on threat activity targeting Fortinet firewall management interfaces exposed to the public internet, saying that “a zero-day vulnerability is likely” but an initial access vector had not been confirmed. According to Arctic Wolf, the campaign “involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes.”

Fortinet’s advisory for CVE-2024-55591 includes indicators of compromise (IOCs) and notes that the vulnerability was reported as exploited in the wild at time of disclosure. No individual or firm is explicitly credited for discovering the vulnerability in Fortinet’s advisory, and Fortinet has not confirmed that CVE-2024-55591 is the zero-day vulnerability Arctic Wolf speculated was being leveraged threat activity.

Rapid7 MDR threat hunters have observed activity from IP addresses publicly attributed to the threat campaign targeting CVE-2024-55591, but our team has so far only noted connections consistent with scanning or reconnaissance activity and not exploitation.

Zero-day vulnerabilities in Fortinet FortiOS, the operating system that runs on FortiGate firewalls, have been a relatively common occurrence in recent years and have been leveraged in a wide range of financially motivated, state-sponsored, and other attacks. In addition to CVE-2024-55591, prominent FortiOS zero-day flaws have included:

Like CVE-2022-40684, CVE-2024-55591 is an authentication bypass using an alternate path or channel (CWE-288). While it does not currently appear likely that CVE-2024-55591 is the vulnerability that enabled the collection and release of FortiGate firewall configuration data on January 15, 2025, the vulnerability is nevertheless being exploited in the wild and should be treated with urgency.

Mitigation guidance

According to Fortinet’s advisory, the following products and versions are vulnerable to CVE-2024-55591:

  • Fortinet FortiOS 7.0.0 through 7.0.16 (fixed in 7.0.17 or above)
  • Fortinet FortiProxy 7.2.0 through 7.2.12 (fixed in 7.2.13 or above)
  • Fortinet FortiProxy 7.0.0 through 7.0.19 (fixed in 7.0.20 or above)

Per Fortinet, other versions of FortiOS (6.4, 7.2, 7.4, 7.6) and FortiProxy (2.0, 7.4, 7.6) are not affected. Customers should update to a fixed version immediately, without waiting for a regular patch cycle to occur, and review Fortinet’s IOCs to aid investigations into suspicious activity. Indicators include examples of administrative or local users added by adversaries.

Customers should also ensure that firewall management interfaces are not exposed to the public internet and limit IP addresses that can reach administrative interfaces. If your organization was impacted by the January 15, 2025 FortiGate firewall data leak, you should change administrative and local user passwords immediately. FortiOS also supports multi-factor authentication (MFA) for local user accounts, which Rapid7 strongly recommends implementing.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2024-55591 with vulnerability checks available in the January 15, 2025 content release. Customers already have coverage for all other FortiOS vulnerabilities mentioned in this blog from past content releases.

CVE-2025-0282: Ivanti Connect Secure zero-day exploited in the wild

On Wednesday, January 8, 2025, Ivanti disclosed two CVEs affecting Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. CVE-2025-0282 is a stack-based buffer overflow vulnerability that allows remote, unauthenticated attackers to execute code on the target device. CVE-2025-0283 is a stack-based buffer overflow that allows local authenticated attackers to escalate privileges on the device.

Ivanti’s advisory indicates that CVE-2025-0282 has been exploited in the wild against a limited number of Connect Secure devices. Per the vendor, Ivanti Policy Secure and Neurons for ZTA are not known to have been exploited in the wild at time of disclosure. Google’s Mandiant division and Microsoft’s Threat Intelligence Center (MSTIC) are credited with the discovery of the two issues, which almost certainly means further intelligence will be released soon on one or more zero-day threat campaigns targeting Ivanti devices.

Ivanti also has a short blog available on the new CVEs here.

Mitigation guidance

The following products and versions are vulnerable to CVE-2025-0282:

  • Ivanti Connect Secure 22.7R2 through 22.7R2.4
  • Ivanti Policy Secure 22.7R1 through 22.7R1.2
  • Ivanti Neurons for ZTA 22.7R2 through 22.7R2.3

The following products and versions are vulnerable to CVE-2025-0283:

  • Ivanti Connect Secure 22.7R2.4 and prior, 9.1R18.9 and prior
  • Ivanti Policy Secure 22.7R1.2 and prior
  • Ivanti Neurons for ZTA 22.7R2.3 and prior

Ivanti has a full table of affected versions and corresponding solution estimates in its advisory. As of 1 PM ET on Wednesday, January 8, patches are available for both CVEs in Ivanti Connect Secure (22.7R2.5), but the CVEs are unpatched in Ivanti Policy Secure and Neurons for ZTA (patches appear to be expected January 21, 2025, per the advisory).

Customers should apply available Ivanti Connect Secure patches immediately, without waiting for a typical patch cycle to occur. Ivanti’s advisory notes that “Exploitation of CVE-2025-0282 can be identified by the Integrity Checker Tool (ICT). We strongly advise all customers to closely monitor their internal and external ICT as a part of a robust and layered approach to cybersecurity to ensure the integrity and security of the entire network infrastructure.”

For the latest information, please refer to the vendor advisory.

Rapid7 customers

Our VM engineering team is researching options for coverage of CVE-2025-0282 and CVE-2025-0283 in Ivanti Connect Secure and expects vulnerability checks to be available to InsightVM and Nexpose customers no later than Thursday, January 9, 2025.

Zero-Day Exploitation Targeting Palo Alto Networks Firewall Management Interfaces

On Friday, November 8, 2024, cybersecurity firm Palo Alto Networks (PAN) published a bulletin (PAN-SA-2024-0015) advising firewall customers to take steps to secure their firewall management interfaces amid unverified rumors of a possible new vulnerability. Rapid7 threat intelligence teams have also been monitoring rumors of a possible zero-day vulnerability, but those rumors were previously unsubstantiated.

Late in the evening of Thursday, November 14, the Palo Alto Networks advisory was updated to note that PAN had “observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet.” The firm indicated they were actively investigating. The issue was unpatched and had no CVE at time of writing (this has now changed).

Exploitation update: On Monday, November 18, Palo Alto Networks Unit42 released further details the threat activity they observed, which the firm is tracking under the designation "Lunar Peek."  

CVE and fix update: As of Monday, November 18, two CVEs have been assigned for the attacker behavior PAN observed. CVE-2024-0012 (advisory) is an authentication bypass in PAN-OS management web interfaces. It has a CVSS score of 9.3. CVE-2024-9474 (advisory) is a privilege escalation vulnerability in the PAN-OS web management interface that allows administrators to perform actions on the firewall with root privileges. It has a CVSS score of 6.9. The two vulnerabilities can be chained by adversaries to bypass authentication on exposed management interfaces and escalate privileges.

Note: While neither advisory explicitly indicates that the impact of chaining the two vulnerabilities is fully unauthenticated remote code execution as root, it seems likely from the description of the issues and the inclusion of a webshell (payload) in IOCs that adversaries may be able to achieve RCE.

Per the vendor bulletin and Unit42:

  • Risk of exploitation is believed to be limited if access to the management interface access was restricted
  • If the firewall management interface was exposed to the internet, PAN advises customers to monitor for suspicious threat activity (e.g., unrecognized configuration changes or users)
  • Prisma Access and Cloud NGFW are not affected (confirmed November 18)

On Saturday, November 16, PAN added a small number of indicators of compromise (IOCs) to their advisory. IOCs include several IP addresses, which PAN noted could represent legitimate user activity from third-party VPNs, and a webshell checksum. The Unit42 threat analysis released on November 18 contains additional IOCs. Please refer to the Unit42 blog for the latest IOCs.

Affected products

The following versions of PAN-OS are vulnerable to CVE-2024-0012, per the vendor advisory. Customers should apply updates as soon as possible, without waiting for a regular patch cycle to occur.

  • < 11.2.4-h1 (update to 11.2.4-h1 or later to mitigate)
  • < 11.1.5-h1 (update to 11.1.5-h1 or later to mitigate)
  • < 11.0.6-h1 (update to 11.0.6-h1 or later to mitigate)
  • < 10.2.12-h2 (update to 10.2.12-h2 or later to mitigate)

PAN-OS 10.1, Prisma Access, and Cloud NGFW are not affected. Note: Additional fixes and guidance are specified in the advisory.

The following versions of PAN-OS are vulnerable to CVE-2024-9474, per the vendor advisory. Customers should apply updates as soon as possible, without waiting for a regular patch cycle to occur.

  • < 11.2.4-h1 (update to 11.2.4-h1 or later to mitigate)
  • < 11.1.5-h1 (update to 11.1.5-h1 or later to mitigate)
  • < 11.0.6-h1 (update to 11.0.6-h1 or later to mitigate)
  • < 10.2.12-h2 (update to 10.2.12-h2 or later to mitigate)
  • < 10.1.14-h6 (update to 10.1.14-h6 or later to mitigate)

Prisma Access and Cloud NGFW are not affected. Note: Additional fixes and guidance are specified in the advisory.

Mitigation guidance

Customers should update to fixed versions of PAN-OS as soon as possible to mitigate the risk of exploitation for CVE-2024-0012 and CVE-2024-9474.

Palo Alto Networks customers should ensure access to the firewall management interface is configured correctly in accordance with PAN’s recommended best practice deployment guidelines — namely, that access is restricted to trusted internal IPs only and the management interface is not exposed or accessible to the internet. More guidance is available here.

The Palo Alto Networks advisory also has directions on identifying internet-facing management interfaces and/or devices that may otherwise require remediation action. Rapid7 strongly recommends reviewing the advisory and configuration guidance in addition to the IOCs PAN released.

We will update this blog with further information as it becomes available, but as always, we encourage Palo Alto Networks customers to refer to the vendor advisory for the latest information.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2024-0012 and CVE-2024-9474 with vulnerability checks available as of the Monday, November 18 content release.

Indicators of compromise

See the Unit42 analysis for the latest list of IOCs related to this attack.

Update timeline

Saturday, November 16: Updated to note availability of IOCs.

Monday, November 18: Updated with CVEs, affected products, and information for Rapid7 customers.

NEVER MISS AN EMERGING THREAT

Be the first to learn about the latest vulnerabilities and cybersecurity news.

Fortinet FortiManager CVE-2024-47575 Exploited in Zero-Day Attacks

On Wednesday, October 23, 2024, security company Fortinet published an advisory on CVE-2024-47575, a critical zero-day vulnerability affecting their FortiManager network management solution. The vulnerability arises from a missing authentication for a critical function [CWE-306] in the FortiManager fgfmd daemon that allows a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests. The vulnerability carries a CVSS v3 score of 9.8.

Fortinet’s advisory notes that CVE-2024-47575 has been “reported” as exploited in the wild. Rapid7 customers have also reported receiving communications from service providers indicating the vulnerability may have been exploited in their environments. According to the vendor, “The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials and configurations of the managed devices.” Rapid7 strongly recommends reviewing the vendor advisory for indicators of compromise and mitigation strategies.

Background

Since roughly October 13, there have been private industry discussions and a number of public posts on Reddit, Twitter, and Mastodon about a rumored zero-day vulnerability in FortiManager. Public Reddit conversations indicated that Fortinet contacted some of their customers by email circa October 15 to “privately disclose” a FortiManager vulnerability and advise on mitigations. Despite embargoed communications and the publication of several news articles, neither a public advisory nor a CVE was issued until October 23.

On the evening of October 22, high-profile cybersecurity researcher Kevin Beaumont published a blog alleging that a state-sponsored adversary has been using this FortiManager zero-day vulnerability in espionage attacks. While Fortinet’s advisory doesn’t include any information about specific adversaries exploiting the vulnerability, Fortinet devices have long been popular targets for state-sponsored threat actors.

Mitigation guidance

Per Fortinet’s advisory, the following versions of FortiManager are vulnerable to CVE-2024-47575 and have mitigation guidance available:

  • FortiManager 7.6.0
  • FortiManager 7.4.0 through 7.4.4
  • FortiManager 7.2.0 through 7.2.7
  • FortiManager 7.0.0 through 7.0.12
  • FortiManager 6.4.0 through 6.4.14
  • FortiManager Cloud 7.4.1 through 7.4.4
  • FortiManager Cloud 7.2 (all versions)
  • FortiManager Cloud 7.0 (all versions)
  • FortiManager Cloud 6.4 (all versions)

The advisory indicates FortiManager Cloud 7.6 is not affected.

FortiManager customers should update to a supported, fixed version on an emergency basis, without waiting for a regular patch cycle to occur. See the vendor advisory for the latest list of fixed versions. A workaround is also available for some versions.

Fortinet’s advisory also includes a list of indicators of compromise (IOCs) that FortiManager customers should look for in their environments.

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2024-47575 with an authenticated check expected to be available in the Wednesday, October 23 content release.

Unauthenticated CrushFTP Zero-Day Enables Complete Server Compromise

On Friday, April 19, 2024, managed file transfer vendor CrushFTP released information to a private mailing list on a new zero-day vulnerability affecting versions below 10.7.1 and 11.1.0 (as well as legacy 9.x versions) across all platforms. No CVE was assigned by the vendor, but a third-party CVE Numbering Authority (CNA) assigned CVE-2024-4040 as of Monday, April 22. According to a public-facing vendor advisory, the vulnerability is ostensibly a VFS sandbox escape in CrushFTP managed file transfer software that allows “remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.”

Rapid7’s vulnerability research team analyzed CVE-2024-4040 and determined that it is fully unauthenticated and trivially exploitable; successful exploitation allows for not only arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution. Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance.

Although the vulnerability has been formally described as an arbitrary file read, Rapid7 believes that it can be more accurately categorized as a server-side template injection (SSTI). CVE-2024-4040 was exploited in the wild as a zero-day vulnerability, per private customer communications from the vendor and a public Reddit post from security firm CrowdStrike. Using a query that looks for a specific JavaScript file in the web interface, there appear to be roughly 5,200 instances of CrushFTP exposed to the public internet.

Mitigation guidance

According to the advisory, CrushFTP versions below 11.1 are vulnerable to CVE-2024-4040. The following versions of CrushFTP are vulnerable as of April 22, 2024:

  • All legacy CrushFTP 9 installations
  • CrushFTP 10 before v10.7.1
  • CrushFTP 11 before v11.1.0

The vulnerability has been patched in version 11.1.0 for the 11.x version stream, and in version 10.7.1 for the 10.x version stream. The vendor advisory emphasizes the importance of updating to a fixed version of CrushFTP on an urgent basis. Rapid7 echoes this guidance, particularly given our team’s findings on the true impact of the issue, and urges organizations to apply the vendor-supplied patch on an emergency basis, without waiting for a typical patch cycle to occur.

While the vendor guidance as of April 22 says that “customers using a DMZ in front of their main CrushFTP instance are partially protected,” it’s unclear whether this is actually an effective barrier to exploitation. Out of an abundance of caution, Rapid7 advises against relying on a DMZ as a mitigation strategy.

CrushFTP customers can harden their servers against administrator-level remote code execution attacks by enabling Limited Server mode with the most restrictive configuration possible. Organizations should also use firewalls wherever possible to aggressively restrict which IP addresses are permitted to access CrushFTP services.

Rapid7 customers

A vulnerability check for InsightVM and Nexpose customers is in development and expected to be available in either today’s (Tuesday, April 23) or tomorrow's (Wednesday, April 24) content release.

CVE-2024-3400: Critical Command Injection Vulnerability in Palo Alto Networks Firewalls

On Friday, April 12, Palo Alto Networks published an advisory on CVE-2024-3400, a CVSS 10 vulnerability in several versions of PAN-OS, the operating system that runs on the company’s firewalls. According to the vendor advisory, if conditions for exploitability are met, the vulnerability may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vulnerability is currently unpatched. Patches are expected to be available by Sunday, April 14, 2024.

Note: Palo Alto Networks customers are only vulnerable if they are using PAN-OS 10.2, PAN-OS 11.0, and/or PAN-OS 11.1 firewalls with the configurations for both GlobalProtect gateway and device telemetry enabled.

Palo Alto Networks’ advisory indicates that CVE-2024-3400 has been exploited in the wild in “a limited number of attacks.” The company has given the vulnerability their highest urgency rating.

Mitigation guidance

CVE-2024-3400 is unpatched as of Friday, April 12 and affects the following versions of PAN-OS when GlobalProtect gateway and device telemetry are enabled:

  • PAN-OS 11.1 (before 11.1.2-h3)
  • PAN-OS 11.0 (before 11.0.4-h1)
  • PAN-OS 10.2 (before 10.2.9-h1)

Palo Alto Networks’ Cloud NGFW and Prisma Access solutions are not affected; nor are earlier versions of PAN-OS (10.1, 10.0, 9.1, and 9.0). For additional information and the latest remediation guidance, please see Palo Alto Networks’ advisory.

The company has indicated that hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3 will be released by April 14, along with hotfixes for “all later PAN-OS versions.”

Rapid7 recommends applying one of the below vendor-provided mitigations immediately:

  • Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682). In addition to enabling Threat ID 95187, customers should ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. More information here.
  • Those unable to apply the Threat Prevention mitigation can mitigate by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device.

Rapid7 customers

Authenticated vulnerability checks are expected to be available to InsightVM and Nexpose customers in today’s (Friday, April 12) content release.

Per the vendor advisory, organizations that are running vulnerable firewalls and are concerned about potential exploitation in their environments can open a support case with Palo Alto Networks to determine if their device logs match known indicators of compromise (IoCs) for this vulnerability.

CVE-2024-0204: Critical Authentication Bypass in Fortra GoAnywhere MFT

On January 22, 2024, Fortra published a security advisory on CVE-2024-0204, a critical authentication bypass affecting its GoAnywhere MFT secure managed file transfer product prior to version 7.4.1. The vulnerability is remotely exploitable and allows an unauthorized user to create an admin user via the administration portal. Fortra lists the root cause of CVE-2024-0204 as CWE-425: Forced Browsing , which is a weakness that occurs when a web application does not adequately enforce authorization on restricted URLs, scripts, or files.

Fortra evidently addressed this vulnerability in a December 7, 2023 release of GoAnywhere MFT, but it would appear they did not issue an advisory until now.

In February 2023, a zero-day vulnerability (CVE-2023-0669) in GoAnywhere MFT was exploited in a large-scale extortion campaign conducted by the Cl0p ransomware group. It’s unclear from Fortra’s initial advisory whether CVE-2024-0204 has been exploited in the wild, but we would expect the vulnerability to be targeted quickly if it has not come under attack already, particularly since the fix has been available to reverse engineer for more than a month. Rapid7 strongly advises GoAnywhere MFT customers to take emergency action.

Mitigation guidance

CVE-2024-0204 affects the following versions of GoAnywhere MFT:

  • Fortra GoAnywhere MFT 6.x from 6.0.1
  • Fortra GoAnywhere MFT 7.x before 7.4.1

GoAnywhere MFT customers who have not already updated to a fixed version (7.4.1 or higher) should do so on an emergency basis, without waiting for a regular patch cycle to occur.

Per the vendor advisory, “the vulnerability may also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart. For additional information, see https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml (registration required).”

If you are unable to update to a fixed version, Fortra has offered two manual mitigation pathways:

  • Deleting the InitialAccountSetup.xhtml file in the installation directory and restarting the services.
  • Replacing the InitialAccountSetup.xhtml file with an empty file and restarting the services.

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2024-0204 with an unauthenticated vulnerability check expected to be available in today’s (January 23) content release.

Zero-Day Exploitation of Ivanti Connect Secure and Policy Secure Gateways

On Wednesday, January 10, 2024, Ivanti disclosed two zero-day vulnerabilities affecting their Ivanti Connect Secure and Ivanti Policy Secure gateways. Security firm Volexity, who discovered the vulnerabilities, also published a blog with information on indicators of compromise and attacker behavior observed in the wild. In an attack Volexity investigated in December 2023, the two vulnerabilities were chained to gain initial access, deploy webshells, backdoor legitimate files, capture credentials and configuration data, and pivot further into the victim environment.

The two vulnerabilities in the advisory are:

  • CVE-2023-46805, an authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that allows a remote attacker to access restricted resources by bypassing control checks.
  • CVE-2024-21887, a critical command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet

Rapid7 urges customers who use Ivanti Connect Secure or Policy Secure in their environments to take immediate steps to apply the workaround and look for indicators of compromise. Volexity have released an extensive description of the attack and indicators of compromise — we strongly recommend reviewing their blog, which includes the information below:

“Volexity observed the attacker modifying legitimate ICS components and making changes to the system to evade the ICS Integrity Checker Tool. Notably, Volexity observed the attacker backdooring a legitimate CGI file (compcheck.cgi) on the ICS VPN appliance to allow command execution. Further, the attacker also modified a JavaScript file used by the Web SSL VPN component of the device in order to keylog and exfiltrate credentials for users logging into it. The information and credentials collected by the attacker allowed them to pivot to a handful of systems internally, and ultimately gain unfettered access to systems on the network.”

Ivanti Connect Secure, previously known as Pulse Connect Secure, is a security appliance that has been targeted in a range of threat campaigns in recent years. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also released a bulletin on January 10, 2024 urging Ivanti Connect Secure and Ivanti Policy Secure users to mitigate the two vulnerabilities immediately.

Counts of internet-exposed appliances vary widely depending on the query used. The following Shodan query identifies roughly 7K devices on the public internet, while looking for Ivanti’s welcome page alone more than doubles that number (but reduces accuracy): http.favicon.hash:-1439222863 html:"welcome.cgi?p=logo. Rapid7 Labs has observed scanning activity targeting our honeypots that emulate Ivanti Connect Secure appliances.

Mitigation guidance

All supported versions (9.x and 22.x) of Ivanti Connect Secure and Ivanti Policy Secure are vulnerable to CVE-2023-46805 and CVE-2024-21887.  Ivanti’s advisory notes that a workaround is available for CVE-2023-46805 and CVE-2024-21887. Ivanti Connect Secure and Ivanti Policy Secure customers should apply the vendor-supplied workaround immediately and investigate their environments for signs of compromise. Ivanti advises customers using unsupported versions of the product to upgrade to a supported version before applying the workaround.

Ivanti has indicated that patches will be released in a staggered schedule between January 22 and February 19, 2024 — target patch timelines can be found here.

Per Ivanti’s advisory and KB article, “Ivanti Neurons for ZTA gateways cannot be exploited when in production. If a gateway for this solution is generated and left unconnected to a ZTA controller, then there is a risk of exploitation on the generated gateway. Ivanti Neurons for Secure Access is not vulnerable to these CVEs; however, the gateways being managed are independently vulnerable to these CVEs.”

Note: Volexity indicated that adversaries have been observed wiping logs and/or disabling logging on target devices. Administrators should ensure logging is enabled. Ivanti has a built-in integrity checker tool (ICT) that verifies the image on Ivanti Connect Secure and Ivanti Policy Secure appliances and looks for modified files. Ivanti is advising customers to use the external version of this tool to check the integrity of the ICS/IPS images, since Ivanti has seen adversaries “attempting to manipulate” the internal integrity checker tool.

Rapid7 customers

Our engineering team is investigating options for InsightVM and Nexpose coverage for these vulnerabilities. We will provide an update to this blog no later than 3 PM EST on Thursday, January 11, 2024.



CVE-2023-47246: SysAid Zero-Day Vulnerability Exploited By Lace Tempest

On November 8, 2023, IT service management company SysAid disclosed CVE-2023-47426, a zero-day path traversal vulnerability affecting on-premise SysAid servers. According to Microsoft’s threat intelligence team, who said they discovered the vulnerability, it has been exploited in the wild by DEV-0950 (Lace Tempest) in “limited attacks.” In a social media thread published the evening of November 8, Microsoft emphasized that Lace Tempest distributes the Cl0p ransomware, and that exploitation of CVE-2023-47246 is likely to result in ransomware deployment and/or data exfiltration. Lace Tempest is the same threat actor who perpetrated the MOVEit Transfer and GoAnywhere MFT extortion attacks earlier this year.

SysAid’s advisory on CVE-2023-47246 says the attacker “uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service.” Post-exploitation behavior included deployment of MeshAgent remote administration tooling and GraceWire malware. There are extensive details about the attack chain in the vendor advisory, along with robust indicators of compromise. An employee of technology company Elastic also reported the evening of November 8 that Elastic had observed exploitation in the wild as far back as October 30.

SysAid’s website claims that the company has upwards of 5,000 customers, including a number of large corporations whose logos adorn SysAid’s customer page. Shodan searches for either a specific CSS file or the favicon both return only 416 instances of SysAid exposed to the public internet. (Note that “exposed” does not necessarily imply that those instances are vulnerable.)

Mitigation guidance

CVE-2023-47246 is fixed in version 23.3.36 of SysAid server. Given the potential for ransomware and extortion attacks, organizations with on-premise SysAid servers should apply the vendor-supplied patches on an emergency basis, invoking incident response procedures if possible, and ensure the server is not exposed to the public internet. We also strongly recommend reviewing the indicators of compromise in SysAid’s advisory and examining environments for suspicious activity, though notably, the advisory says the adversaries may cover their tracks by cleaning up logs and artifacts on disk.

Indicators of compromise

SysAid has an extensive list of IOCs and observed attacker behavior in their advisory. Rather than reproducing that here, we urge organizations to use that vendor advisory as their starting source of truth for threat hunting: https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification

Rapid7 has a Velociraptor artifact available to help organizations identify post-exploitation activity related to this zero-day vulnerability:

  • Yara.Process: Targets observed malware and Cobalt Strike via process YARA
  • Disk.Ntfs: Targets known disk IOCs via Windows.ntfs.mft
  • Forensic.Usn: Targets known disk IOCs via USN journal
  • Evtx.Defender: Searches Defender event logs for evidence of associated alerts
  • Evtx.NetworkIOC: Targets known strings of network IOCs in firewall, Sysmon and PowerShell logs.

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2023-47246 with an authenticated Windows check expected to ship in today’s (November 9) content release.

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on post-exploitation behavior related to this zero-day vulnerability:

  • Attacker Technique - SpoolSV Spawns CMD or PowerShell
  • Attacker Technique - Possible Process Injection
  • Attacker Technique - PowerShell Download Cradles
  • Attacker Tool - CobaltStrike PowerShell Commands
  • Suspicious Network Connection - Destination Address in Cobalt Strike C2 List
CVE-2023-20198: Active Exploitation of Cisco IOS XE Zero-Day Vulnerability

On Monday, October 16, Cisco’s Talos group published a blog on an active threat campaign exploiting CVE-2023-20198, a “previously unknown” zero-day vulnerability in the web UI component of Cisco IOS XE software. IOS XE is an operating system that runs on a wide range of Cisco networking devices, including routers, switches, wireless controllers, access points, and more. Successful exploitation of CVE-2023-20198 allows a remote, unauthenticated attacker to create an account on an affected device and use that account to obtain full administrator privileges, effectively enabling a complete takeover of the system.

There is no patch for CVE-2023-20198 as of October 17, 2023. As Cisco Talos noted in their blog, it is being actively exploited in the wild. There appear to be a significant number of devices running IOS XE on the public internet as of October 17. Estimates of internet-exposed devices running IOS XE vary, but the attack surface area does appear to be relatively large; one estimate puts the exposed device population at 140K+.

In the activity Cisco observed, attackers created (malicious) local user accounts from suspicious IP addresses. Additional activity has included deployment of an implant that allows the attacker to execute arbitrary commands at the system level or IOS level. Cisco has an extensive description of the malicious behavior they’ve observed here.

Affected products

Cisco’s public advisory on CVE-2023-20198 merely says that Cisco IOS XE software is vulnerable if the web UI feature is enabled (the UI is enabled through the ip http server or ip http secure-server commands). Cisco does not offer a list of products that definitively run IOS XE, but their product page for IOS XE lists some, including the Catalyst, ASR, and NCS families.

According to the advisory, customers can determine whether the HTTP Server feature is enabled for a system, by logging into the system and using the show running-config | include ip http server|secure|active command in the CLI to check for the presence of the ip http server command or the ip http secure-server command in the global configuration. The presence of either command or both commands in the system configuration indicates that the web UI feature is enabled (and that the system is therefore vulnerable).

Cisco’s advisory also specifies that if the ip http server command is present and the configuration also contains ip http active-session-modules none, the vulnerability is not exploitable over HTTP. If the ip http secure-server command is present and the configuration also contains ip http secure-active-session-modules none, the vulnerability is not exploitable over HTTPS.

Mitigation guidance

In lieu of a patch, organizations should disable the web UI (HTTP Server) component on internet-facing systems on an emergency basis. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. Per Cisco’s advisory, if both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature. Organizations should also avoid exposing the web UI and management services to the internet or to untrusted networks.

Disabling the web UI component of IOS XE systems and limiting internet exposure reduces risk from known attack vectors, but notably does not mitigate risk from implants that may have already been successfully deployed on vulnerable systems. Rapid7 recommends invoking incident response procedures where possible to prioritize hunting for indicators of compromise Cisco has shared, listed below.

Cisco-observed attacker behavior

The Cisco Talos blog on CVE-2023-21098 has a full analysis of the implant they’ve observed being deployed as part of this threat campaign. We strongly recommend reading the analysis in its entirety. The implant is saved under the file path /usr/binos/conf/nginx-conf/cisco_service.conf that contains two variable strings made up of hexadecimal characters. While the implant is not persistent (a device reboot will remove it), the attacker-created local user accounts are.

Cisco observed the threat actor exploiting CVE-2021-1435, which was patched in 2021, to install the implant after gaining access to a device vulnerable to CVE-2023-20198. Talos also notes that they have seen devices fully patched against CVE-2021-1435 getting the implant successfully installed “through an as of yet undetermined mechanism.”

Rapid7-observed attacker behavior

Rapid7 MDR has so far identified a small number of instances where CVE-2023-20198 was exploited in customer environments, including multiple instances of exploitation within the same customer environment on the same day. The indicators of compromise our team has identified with available evidence indicate the use of techniques similar to those described by Cisco Talos.

Rapid7 identified variations of techniques in the course of our investigations. The first malicious activity performed on the system post-exploitation was associated with the admin account. The following is an excerpt from this log file:
%SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as admin on vty1
The threat actor created the local account cisco_support using the command username cisco_support privilege 15 algorithm-type sha256 secret * under user context admin. The threat actor then authenticated to the system using this newly created cisco_support account and began running several commands, including the following:

show running-config
show voice register global
show dial-peer voice summary
show platform
show flow monitor
show platform
show platform software iox-service
show iox-service
dir bootflash:
dir flash:
clear logging
no username cisco_support
no username cisco_tac_admin
no username cisco_sys_manager

Upon completion of these commands, the threat actor deleted the account cisco_support. The accounts cisco_tac_admin and cisco_sys_manager were also deleted, but Rapid7 did not observe account creation commands associated with these accounts within available logs.

The threat actor also executed the clear logging command to clear system logging and cover their tracks. Rapid7 identified logging for the second exploitation on October 12, 2023, but could not review logs for the first intrusion because the logs had been cleared.

Evidence indicated that the last action performed by the threat actor relates to a file named aaa:
%WEBUI-6-INSTALL_OPERATION_INFO: User: cisco_support, Install Operation: ADD aaa

When comparing the two intrusions that occurred within the same environment on October 12, there are slight differences in observed techniques. For example, log clearing was only performed within the first exploitation, while the second exploitation included additional directory viewing commands.

Indicators of compromise

The Cisco Talos blog on CVE-2023-20198 directs organizations to look for unexplained or newly created users on devices running IOS XE. One way of identifying whether the implant observed by Talos is present is to run the following command against the device, where the "DEVICEIP” portion is a placeholder for the IP address of the device to check:

curl -k -X POST "https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1"

The command above will execute a request to the device’s Web UI to see if the implant is present. If the request returns a hexadecimal string, the implant is present (note that the web server must have been restarted by the attacker after the implant was deployed for the implant to have become active). Per Cisco’s blog, the above check should use the HTTP scheme if the device is only configured for an insecure web interface.

Additional Cisco IOCs

  • 5.149.249[.]74
  • 154.53.56[.]231

Usernames:

  • cisco_tac_admin
  • cisco_support

Cisco Talos also advises performing the following checks to determine whether a device may have been compromised:

Check the system logs for the presence of any of the following log messages where “user” could be cisco_tac_admin, cisco_support or any configured, local user that is unknown to the network administrator:

  • %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line

  • %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: source_IP_address] at 03:42:13 UTC Wed Oct 11 2023

Note: The %SYS-5-CONFIG_P message will be present for each instance that a user has accessed the web UI. The indicator to look for is new or unknown usernames present in the message.

Organizations should also check the system logs for the following message where filename is an unknown filename that does not correlate with an expected file installation action:

  • %WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2023-20198 with an authenticated vulnerability check that looks for Cisco IOS XE devices with the web UI enabled. The check is available in today’s (October 17) content release.

InsightIDR and Rapid7 MDR customers have existing detection coverage through Rapid7's expansive library of detection rules. The following detection rules are deployed and alerting on activity related to this vulnerability via the IP addresses provided by Cisco:

  • Network Flow - CURRENT_EVENTS Related IP Observed
  • Suspicious Connection - CURRENT_EVENTS Related IP Observed

Updates

October 17, 2023: Updated with Rapid7-observed attacker behavior and IOCs.