Conversation

Notices

1. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 15-Jan-2024 00:39:14 JST Kevin Beaumont

   I have written a #ConnectAround scanner and I’m scanning the internet’s to see exposure level, if you spot me in your logs. #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 16-Jan-2024 18:51:16 JST Kevin Beaumont

     in reply to

     The finders of #ConnectAround have updated their blog to say 1700 orgs have been compromised, not less than 10 https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/

     If you use Pulse Secure, you probably want to find an IR firm.

     #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 16-Jan-2024 22:45:44 JST Kevin Beaumont

     in reply to

     • Rich Warren

     If you use the Ivanti integrity checking tool, the results it gives are encrypted and can only be read by Ivanti support.

     Since there are thousands of #ConnectAround victims, this doesn’t scale. To compensate you can decrypt the results yourself now: https://gist.github.com/rxwx/03a036d8982c9a3cead0c053cf334605 HT @buffaloverflow

     #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 16-Jan-2024 22:50:28 JST Kevin Beaumont

     in reply to

     • Rich Warren

     Unfortunately it looks like Ivanti have been a bit naughty with CVE allocation too. @buffaloverflow #ConnectAround

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 16-Jan-2024 23:49:43 JST Kevin Beaumont

     in reply to

     Complete exploitation info for #ConnectAround is now public. https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805

     It’s a chaotic mix of ../../ directory traversal and open APIs… if you haven’t applied the mitigations you’re going to have a really bad time as ransomware groups will jump on the train soon. #threatintel

   • Embed this notice
     RecklessPush38671 (recklesspush38671@infosec.exchange)'s status on Wednesday, 17-Jan-2024 02:47:36 JST RecklessPush38671

     in reply to

     @GossiTheDog I'm getting a gateway error for this link. Did they take the article down?

   • Embed this notice
     Tod Beardsley (todb@infosec.exchange)'s status on Wednesday, 17-Jan-2024 06:02:46 JST Tod Beardsley

     in reply to

     • Rich Warren

     @GossiTheDog @buffaloverflow You might want to double check that assigning CNA.

     https://www.cve.org/cverecord?id=CVE-2024-21887

     Maybe it’s one issue that has several vectors. Haven’t looked myself yet since I’m on vacation.

     But the CVE isn’t issued by Ivanti, technically.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 17-Jan-2024 08:46:15 JST Kevin Beaumont

     in reply to

     Palo-Alto are tracking 30k boxes exposed to #ConnectAround

     https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2023-46805-cve-2024-21887/

     #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 18-Jan-2024 05:14:27 JST Kevin Beaumont

     in reply to

     Amazing - first mass spraying of #ConnectAround by notChina and they’re delivering.. coin miners. 🤣🤣🤣

     https://infosec.exchange/@greynoise/111773096176640713

     #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 19-Jan-2024 00:54:28 JST Kevin Beaumont

     in reply to

     I strongly suspect there are a whole bunch of large orgs running incidents for #ConnectAround now.

     Why? Pulse Secure boxes which didn't have the mitigation supplied have stopped responding totally for over a day.. when Shodan history shows they've been running on same IP for years.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 19-Jan-2024 20:06:15 JST Kevin Beaumont

     in reply to

     https://www.assetnote.io/resources/research/high-signal-detection-and-exploitation-of-ivantis-pulse-connect-secure-auth-bypass-rce
     #ConnectAround #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jan-2024 08:18:18 JST Kevin Beaumont

     in reply to

     IPs exploiting #ConnectAround to RCE

     https://viz.greynoise.io/query/?gnql=last_seen%3A1d%20AND%20spoofable%3Afalse%20AND%20%28tags%3A%22Ivanti%20Connect%20Secure%20%28ICS%29%20RCE%20Attempt%22%29

     #threatintel

   • Embed this notice
     VessOnSecurity (bontchev@infosec.exchange)'s status on Saturday, 20-Jan-2024 17:44:28 JST VessOnSecurity

     in reply to

     @GossiTheDog Is there a way to find remotely if an Ivanti setup has been compromised? Not just vulnerable but actually compromised?

   • Embed this notice
     VessOnSecurity (bontchev@infosec.exchange)'s status on Saturday, 20-Jan-2024 17:49:45 JST VessOnSecurity

     @GossiTheDog You mean, they drop webshells?

     The reason I asked is because I haven't seen stats of how many devices are compromised - only how many are vulnerable or how many are trying to exploit.

     If the only way to detect a compromised device is to access it via the webshell, this could explain this lack of statistics - it would be essentially hacking into the device, which would be illegal.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 23-Jan-2024 04:47:44 JST Kevin Beaumont

     in reply to

     Latest #ConnectAround issue - there’s no patch, and the mitigation silently fails to work if an admin makes a config change elsewhere.

     If you run Pulse Secure I’d suggest being very cautious.

     https://www.bleepingcomputer.com/news/security/ivanti-vpn-appliances-vulnerable-if-pushing-configs-after-mitigation/

     #threatintel

   • Embed this notice
     paulw6533 (paulw6533@cyberplace.social)'s status on Wednesday, 24-Jan-2024 22:21:40 JST paulw6533

     in reply to

     @GossiTheDog - Ivanti said patches would be available from w/c 22nd Jan, its Wednesday and still no patch this week. When will they take security seriously and release a proper patch?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 31-Jan-2024 07:33:16 JST Kevin Beaumont

     in reply to

     Latest on #ConnectAround - the vendor promised patches weeks later, but hasn’t been hitting its own milestones to release said patches.

     https://www.securityweek.com/ivanti-struggling-to-hit-zero-day-patch-release-schedule/

     #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 31-Jan-2024 20:34:27 JST Kevin Beaumont

     in reply to

     • fthy

     More hilarity on #ConnectAround - there’s now two NEW vulnerabilities in Ivanti Pulse Secure, being actively exploited as zero days too - no patches.

     Updated advisory with updated mitigations you need to reapply:
     https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

     CVEs: CVE-2024-21893 and CVE-2024-21888

     CERT advisory: https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-205101-1032.pdf?__blob=publicationFile&v=2

     HT @fthy

     #threatintel