Changelog: Ivanti discloses the biggest zero-days of the year so far

Luis Villasmil / Unsplash

Welcome to Changelog for 1/11/2024, published by Synack! README senior editor Nathaniel Mott here emerging from the first big storm of the year to bring you the latest security news.

The payload

Ivanti has disclosed a pair of actively exploited zero-day vulnerabilities in its Connect Secure and Policy Secure gateways that can be exploited to achieve remote code execution on the appliances.

The vulns have been assigned the CVE-2023-46805 and CVE-2024-21887 identifiers. Ivanti has shared mitigation instructions for both vulnerabilities, but it plans to release the patches that fix these flaws on “a staggered schedule,” with organizations receiving the updates between Jan. 22 and Feb. 19. (Additional details about the mitigations and patch release schedule can be found in this knowledge base article.)

Ivanti said it’s “aware of less than 10 customers impacted by the vulnerabilities.” It doesn’t seem like the company’s known about the vulns for long, however, with the Volexity security firm saying it discovered the zero-days in the course of responding to an incident “during the second week of December 2023.” I wouldn’t be surprised if more victims come forward now that the flaws have been publicly disclosed.

Volexity said it “found that there was suspect activity originating from the device as early as December 3, 2023.” The company also said that it’s attributing the attack to UTA0178, which it “has reason to believe … is a Chinese nation-state-level threat actor” that’s exploiting these vulnerabilities to “steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance.”

Things got worse from there. Volexity said that exploiting these vulnerabilities allowed UTA0178 “to pivot to a handful of systems internally, and ultimately gain unfettered access to systems on the network.” Any organizations that rely on Ivanti’s Connect Secure or Policy Secure gateways should probably have already started incident response procedures as soon as the vulns were publicly disclosed.

Ivanti said on its website that it “finds, heals and protects every device, everywhere – automatically.” Now that it’s revealed a pair of zero-days that can be exploited to gain “unfettered access to systems on the network”—and said that many organizations won’t receive patches for these vulnerabilities for a month and a half—it might want to consider drafting up a slightly less bombastic tagline.

The week, compiled

Use multi-factor authentication. The U.S. Cybersecurity and Infrastructure Security Agency, the infosec community and Michael B. Jordan have been spreading that message for years. Yet we learned this week that even Mandiant, the incident response firm some of the largest companies in the world call when they get hacked, didn’t have MFA enabled for its account on the platform formerly known as Twitter.

Mandiant’s account was hacked on Jan. 3 to share what Dark Reading described as “a series of promotions directing people to a scam that offered token awards on a website that would verify if their cryptocurrency wallet was eligible.” The company regained control over the account the following day and concluded its investigation into the incident on Jan. 10, which is when it revealed its blunder.

fachrizal-maulana-7gRGP7_PV-Y-unsplash

Fachrizal Maulana / Unsplash

The account was taken over by a “brute force password attack,” Mandiant said. “Normally, 2FA would have mitigated this, but due to some team transitions and a change in X’s 2FA policy, we were not adequately protected. We've made changes to our process to ensure this doesn't happen again.” (Presumably those changes included enabling MFA and choosing a harder-to-crack password.)

So if you still aren’t using MFA to secure your accounts, well, you should probably change that sooner rather than later. But don’t beat yourself up over it—apparently even Mandiant hasn’t gotten around to confirming that its accounts can’t be hijacked by anyone with a password cracker and a little gumption. Let’s hope the Securities and Exchange Commission, which recently saw its Twitter account breached in similar fashion, is taking notes, too. 

Now for some highlights from the rest of the week:

Ars Technica: You wouldn’t download a car—but would you ransomware a wrench? Ars Technica reported on Jan. 9 that researchers have discovered 23 vulnerabilities in a network-connected wrench that could be exploited “to disable entire fleets of the devices or to cause them to tighten fastenings too loosely or tightly while the display continues to indicate the critical settings are still properly in place.”

CyberScoop: The NSA gave a gift to every security firm on the planet on Jan. 9 when an official said that “artificial intelligence and machine learning technologies are helping the National Security Agency and other U.S. government agencies detect malicious Chinese cyber activity.” That sound you heard was countless marketing departments preparing to cite those claims in their companies’ RSA 2024 materials.

TechCrunch: Ending on a positive note, the FTC announced on Jan. 9 that it had banned X-Mode from selling the location data it collects from partnered mobile app developers, with TechCrunch describing the agreement as a “first of its kind settlement” that will also require the company to “delete or destroy all the location data it previously collected” as well as “products produced from this data.” 

A message from Synack

How companies approach security testing is in need of a makeover. Traditional pentesting satisfied compliance requirements, but that doesn’t stop critical vulnerabilities from affecting the business. With a strategic testing approach, companies can discover the vulnerabilities that matter most, manage remediation more quickly and see security posture improvement in real time with essential analytics. Learn how to start your journey to strategic testing.

Flash memory

I never owned an iPod Shuffle. But the diminutive mp3 player Apple introduced on Jan. 11, 2005 was practically a phenomenon at my podunk middle school, and I’m pretty sure everyone of a certain age remembers the iconic commercials featuring dancing, iPod-equipped silhouettes on monochromatic backgrounds.

Apple kept the iPod Shuffle around until July 2017. That means it survived a decade after the introduction of the iPhone that would, eventually, render the entire iPod product line obsolete. (Not that Apple fostered that longevity; the final generation of the iPod Shuffle was released in September 2010.)

Now the idea of a dedicated audio player is starting to catch on again. Perhaps the most interesting prospect is Tangara, “the music player you wish you had in the early 2000s,” which combines a clearly iPod-inspired design with open source hardware and software for hackers to experiment with. I might finally get as close as I’ve come to owning an iPod Shuffle… nearly 20 years after its release.

Local files

404 Media: The U.S. “has accused a man living in Turkey for hacking T-Mobile in 2021 and then selling stolen data on more than 40 million people, according to sealed court records,” which 404 Media said also named several people who helped facilitate the effort. That isn’t necessarily new information—the man had already claimed responsibility for the hack—but it does offer some more insight into the breach.

The Record: New York Attorney General Letitia James has ordered Refuah Health Center “to invest more than $1.2 million on cybersecurity after a 2021 ransomware attack exposed the sensitive information of more than 250,000 people,” The Record said on Jan. 9. The company must also “pay a $450,000 penalty for failing to appropriately protect patient information and use multi-factor authentication.”

Wired: Raptor Technologies exposed a “highly sensitive cache of documents” uploaded by some of the tens of thousands of schools it counts as customers—including evacuation plans, medical records and “the names and ID numbers of staff, students, and their parents or guardians”—via “three unsecured web buckets” that were discovered and disclosed by security researcher Jeremiah Fowler in December 2023.

Off-script

Some friends and I started playing “Divinity: Original Sin the Board Game” last week. It’s a behemoth of a game that features more books, cards, dice, tokens and miniatures than I’d care to count. (Especially since my friends sprung for all the expansions to the base game, of which there are many.)erik-mclean-C3T8KTZxTFM-unsplash

Erik Mclean / Unsplash

Larian Studios announced the game’s production in December 2019, but its release was delayed by the pandemic. So far, it seems like it’s been worth the wait: We played for several hours—about a quarter of which were spent learning the rules and, naturally, arguing over the correct interpretation of the plentiful iconography and terse prose that appeared on a particular card—and barely finished the tutorial. I look forward to making it through the rest of the campaign and its expansions some time in 2025.