Blackthorne Consulting reposted this
Last month we detected an incident that led us to discover that a Chinese APT actor was using two chained 0day exploits that impact all supported Ivanti Connect Secure (ICS) VPN appliances (aka Pulse Secure). These exploits when combined allowed unauthenticated remote code execution on the VPN devices. The threat actor used that access to backdoor the VPN appliance with webshells, modify code to harvest credentials, exfiltrate data, and pivot to the Internal network. Our team was ultimately able to leverage a memory dump we got from a compromised ICS device to identify and recreate the exploit. We worked closely with Ivanti and today they released a mitigation for this issue. It is critical that any organization running ICS VPN appliances apply this mitigation ASAP. Further, it is important that organizations release that this mitigation will not remedy past or ongoing compromise. Our blog details the operations of the threat actor and gives a good list of things companies can do and should look for to ensure they have not been breached. Feel free to reach out if you run one of these appliances and have any questions or concerns.
[#Blog] Volexity recently detected an incident where it discovered a threat actor chained two #0day vulnerabilities in Ivanti Connect Secure, CVE-2023-46805 & CVE-2024-21887, to achieve RCE, modifying components of the software to backdoor the device. Read more here: https://lnkd.in/ejtu-gy8 #dfir #threatintel #memoryforensics