Introduction<\/p>\n

Ivanti, an IT management and security company, has issued a warning about multiple zero-day vulnerabilities in its VPN products exploited by Chinese state-backed hackers since December 2023. The initial disclosure involved two CVEs (CVE-2023-46805 and CVE-2023-21887) allowing a remote attacker to perform authentication bypass and remote command injection exploits. Ivanti released a patch which was immediately bypassed by two additional flaws (CVE-2024-21888 and CVE-2024-21893) that allows an attacker to perform privilege escalation and server-side request forgery exploits. <\/p>\n

The Cybersecurity & Infrastructure Security Agency (CISA) released an initial advisory as well as an emergency directive (ED-24-01) setting the timeline for mitigating the original two issues by 11:59PM EST January 22, 2024. In the wake of the two new vulnerabilities being discovered and no patches available, CISA issued a supplemental direction to the emergency directive instructing Federal Civilian Executive Branch agencies to disconnect all instances of Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) solutions no later than 11:59 PM EST February 2, 2024 from agency networks.
\nRecommendations<\/p>\n

For CVE-2023-46805 and CVE-2023-21887<\/p>\n

\tApply the patch: Ivanti released a patch to address the initial two vulnerabilities. Users are advised to apply this patch promptly to secure their systems.
\n\tFactory reset before patch: Ivanti recommends users to perform a factory reset on their appliance before applying the patch. This precautionary step aims to prevent potential threat actors from gaining upgrade persistence in the environment. <\/p>\n

For CVE-2023-21888 and CVE-2023-21893<\/p>\n

\tCISA supplemental direction (ED-24-01): CISA instructed federal agencies to disconnect all instances of Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) solutions from agency networks. Although the CISA guidance mandates this for FCEB agencies, CISA highly recommends all organizations to follow the recommended steps.
\n\tApply the patches as they become available following the recommended guidance.<\/p>\n

For all discovered issues<\/p>\n

\tPrioritize segmentation of all potentially impacted systems from enterprise resources to reduce the blast radius.
\n\tContinue threat hunting activity for all devices connected to and from the impacted Ivanti products.
\n\tMonitor identity management services and authentication anomalies.
\n\tActively audit privileged accounts that were recently created or updated.
\n\tRotate certificates, keys, and passwords for all connected or exposed systems and applications.<\/p>\n

Attribution<\/p>\n

UTA0178, China\u2019s government-backed hacking group motivated by espionage, is believed to be responsible for exploiting vulnerabilities in ICS VPN. The same group was attributed to the attacks concentrating on the Philippines using the MISTCLOAK, BLUEHAZE, and DARKDEW malware families.
\nHow It Works<\/p>\n

The attackers were observed exploiting two vulnerabilities CVE-2023-46805 (an authentication-bypass vulnerability with a CVSS score of 8.2) and CVE-2024-21887 (a command-injection vulnerability found in multiple web components with a CVSS score of 9.1) to gain access to ICS VPN appliances. Initial activity was observed as early as December 3, 2023. They were mostly living off the land but some tools were also deployed. <\/p>\n

Tools used by the threat actor include: <\/p>\n

\tPySoxy tunneler and BusyBox to enable post-exploitation activity
\n\tZIPLINE Passive Backdoor
\n\tTHINSPOOL Dropper
\n\tLIGHTWIRE
\n\tWIREFIRE, BUSHWALK, and CHAINLINE Web Shells
\n\tWARPWIRE<\/p>\n

Attack Chain<\/p>\n

Figure 1: Diagram depicting the attack chain<\/p>\n

Possible Execution<\/p>\n

\tInitial Exploitation: The attackers performed mass scanning for vulnerable devices and potential automated exploitation.
\n\tPersistence: The attackers deployed different variations of web shells on the targeted devices after successful exploitation. After gaining an initial foothold, the attacker could steal configuration data, modify existing files, download remote files, and reverse tunnel from the devices. In addition, the attackers backdoored configuration files and deployed additional tools.
\n\tReconnaissance: The attackers performed reconnaissance of the internal systems and applications through proxied connections.
\n\tCredential Stealing: The attackers injected a custom JavaScript-based malware, called WARPWIRE, into a login page used by the users to capture and exfiltrate plaintext credentials.
\n\tLateral Movement: The attackers used lateral movement using compromised credentials to connect to internal systems via RDP, SMB, and SSH.
\n\tEvidence Wiping: The attackers were observed wiping logs and even restoring the system to a clean state after deploying their payloads.
\n\tEvasion (Patch and Detection): In some instances, the attackers modified the integrity checker tool (ICT) to disable and prevent it from flagging any modifications or additions on the system as a measure to evade detection. The ZIPLINE tool used by the attackers is capable of bypassing ICT detection by adding itself to the exclusion_list used by the ICT tool. Moreover, as the attacks were discovered and publicized, the attackers quickly adapted by modifying the tools to evade detection. As a result, new variants of the initial-attack are being observed in more recent attacks.<\/p>\n

How Zscaler Can Help<\/p>\n

Zscaler\u2019s cloud native zero trust network access (ZTNA) solution gives users fast, secure access to private apps for all users, from any location. Reduce your attack surface and the risk of lateral threat movement\u2014no more internet-exposed remote access IP addresses, and secure inside-out brokered connections. Easy to deploy and enforce consistent security policies across campus and remote users.<\/p>\n

Zscaler Private Access\u2122 (ZPA) allows organizations to secure private app access from anywhere. Connect users to apps, never the network, with AI-powered user-to-app segmentation. Prevent lateral threat movement with inside-out connections.<\/p>\n

\tDeploy comprehensive cyberthreat and data protection for private apps with integrated application protection, deception, and data protection.<\/p>\n

Figure 2: VPN vulnerabilities open doors to cyber threats, protect against these risks with Zero Trust architecture.<\/p>\n

Zero trust is a fundamentally different architecture than those built upon firewalls and VPNs. It delivers security as a service from the cloud and at the edge, instead of requiring you to backhaul traffic to complex stacks of appliances (whether hardware or virtual). It provides secure any-to-any connectivity in a one-to-one fashion; for example, connecting any user directly to any application. It does not put any entities on the network as a whole, and adheres to the principle of least-privileged access. In other words, with zero trust, security and connectivity are successfully decoupled from the network, allowing you to circumvent the aforementioned challenges of perimeter-based approaches. Zero trust architecture:<\/p>\n

\tMinimizes the attack surface by eliminating firewalls, VPNs, and public-facing IP addresses, allowing no inbound connections, and hiding apps behind a zero trust cloud.
\n\tStops compromise by leveraging the power of the cloud to inspect all traffic, including encrypted traffic at scale, in order to enforce policies and stop threats in real-time.
\n\tPrevents lateral threat movement by connecting entities to individual IT resources instead of extending access to the network as a whole.
\n\tBlocks data loss by enforcing policies across all potential leakage paths (including encrypted traffic), protecting data in motion, data at rest, and data in use.<\/p>\n

Additionally, zero trust architecture overcomes countless other problems associated with firewalls, VPNs, and perimeter-based architectures by enhancing user experiences, decreasing operational complexity, saving your organization money, and more. <\/p>\n

Zscaler ThreatLabz recommends our customers implement the following capabilities to safeguard against these type of attacks:<\/p>\n

\tSafeguard crown jewel applications by limiting lateral movement using Zscaler Private Access to establish user-to-app segmentation policies based on the principles of least privileged access, including for employees and third-party contractors.
\n\tLimit the impact from a potential compromise by restricting lateral movement with identity-based microsegmentation.
\n\tPrevent private exploitation of private applications from compromised users with full in-line inspection of private app traffic with Zscaler Private Access.
\n\tUse Advanced Cloud Sandbox to prevent unknown malware delivered in second stage payloads.
\n\tDetect and contain attackers attempting to move laterally or escalate privileges by luring them with decoy servers, applications, directories, and user accounts with Zscaler Deception.
\n\tIdentify and stop malicious activity from compromised systems by routing all server traffic through Zscaler Internet Access.
\n\tRestrict traffic from critical infrastructure to an \u201callow\u201d list of known-good destinations.
\n\tEnsure that you are inspecting all SSL\/TLS traffic, even if it comes from trusted sources.
\n\tTurn on Advanced Threat Protection to block all known command-and-control domains.
\n\tExtend command-and-control protection to all ports and protocols with the Advanced Cloud Firewall, including emerging C&C destinations.<\/p>\n

Best Practices<\/p>\n

Follow CISA Directives<\/p>\n

Timely compliance with CISA\u2019s Emergency Directive on Ivanti Vulnerabilities is critical for minimizing the impact of these vulnerabilities.<\/p>\n

Implement zero trust architecture <\/p>\n

Enterprises must rethink traditional approaches to security, replacing vulnerable appliances like VPNs and firewalls. Implementing a true zero trust architecture, fortified by AI\/ML models, to block and isolate malicious traffic and threats is a critical foundational step. Prioritize user-to-application segmentation where you are not bringing users on the same network as your applications. This provides an effective way to prevent lateral movement and keep attackers from reaching crown jewel applications. <\/p>\n

Proactive Measures to Safeguard Your Environment<\/p>\n

In light of the recent vulnerabilities affecting Ivanti, it is imperative to employ the following best practices to fortify your organization against potential exploits.<\/p>\n

\tMinimize the attack surface: Make apps (and vulnerable VPNs) invisible to the internet, and impossible to compromise, ensuring an attacker can\u2019t gain initial access.
\n\tPrevent initial compromise: Inspect all traffic in-line to automatically stop zero-day exploits, malware, or other sophisticated threats.
\n\tEnforce least privileged access: Restrict permissions for users, traffic, systems, and applications using identity and context, ensuring only authorized users can access named resources.
\n\tBlock unauthorized access: Use strong multi-factor authentication (MFA) to validate user access requests.
\n\tEliminate lateral movement: Connect users directly to apps, not the network, to limit the blast radius of a potential incident.
\n\tShutdown compromised users and insider threats: Enable inline inspection and monitoring to detect compromised users with access to your network, private applications, and data.
\n\tStop data loss: Inspect data in motion and data at rest to stop active data theft during an attack.
\n\tDeploy active defenses: Leverage deception technology with decoys and perform daily threat hunting to derail and capture attacks in real-time.
\n\tCultivate a security culture: Many breaches begin with compromising a single user account via a phishing attack. Prioritizing regular cybersecurity awareness training can help reduce this risk and protect your employees from compromise.
\n\tTest your security posture: Get regular third-party risk assessments and conduct purple team activities to identify and harden the gaps in your security program. Request that your service providers and technology partners do the same and share the results of these reports with your security team. <\/p>\n

Conclusion<\/p>\n

In conclusion, Ivanti\u2019s VPN products face severe security threats due to multiple zero-day vulnerabilities exploited by state-backed hackers. The initial disclosure revealed critical CVEs allowing unauthorized access and remote command injections. Following Ivanti\u2019s patch release, two additional flaws enabling privilege escalation were swiftly exploited by the threat actors. <\/p>\n

CISA has responded with an advisory and emergency directive, setting deadlines for mitigating the original issues. With the discovery of new vulnerabilities and the absence of patches, CISA issued a supplemental directive, mandating Federal agencies to disconnect Ivanti ICS and IPS solutions from networks by 11:59pm EST, February 2, 2024.\u00a0\u00a0<\/p>\n

\u200b[[{“value”:”<\/p>\n

Zscaler\u2019s cloud native zero trust network access<\/a> (ZTNA) solution gives users fast, secure access to private apps for all users, from any location. Reduce your attack surface and the risk of lateral threat movement\u2014no more internet-exposed remote access IP addresses, and secure inside-out brokered connections. Easy to deploy and enforce consistent security policies across campus and remote users.<\/p>\n

Zscaler Private Access\u2122<\/a> (ZPA) allows organizations to secure private app access from anywhere. Connect users to apps, never the network, with AI-powered user-to-app segmentation. Prevent lateral threat movement with inside-out connections.<\/p>\n

Deploy comprehensive cyberthreat and data protection for private apps with integrated application protection, deception, and data protection.<\/p>\n

Figure 2: VPN vulnerabilities open doors to cyber threats, protect against these risks with Zero Trust architecture.<\/p>\n

Zero trust is a fundamentally different architecture than those built upon firewalls and VPNs. It delivers security as a service from the cloud and at the edge, instead of requiring you to backhaul traffic to complex stacks of appliances (whether hardware or virtual). It provides secure any-to-any connectivity in a one-to-one fashion; for example, connecting any user directly to any application. It does not put any entities on the network as a whole, and adheres to the principle of least-privileged access. In other words, with zero trust, security and connectivity are successfully decoupled from the network, allowing you to circumvent the aforementioned challenges of perimeter-based approaches. Zero trust architecture:<\/p>\n

Minimizes the attack surface<\/strong> by eliminating firewalls, VPNs, and public-facing IP addresses, allowing no inbound connections, and hiding apps behind a zero trust cloud.\u00a0
\n\tStops compromise<\/strong> by leveraging the power of the cloud to inspect all traffic, including encrypted traffic at scale, in order to enforce policies and stop threats in real-time.\u00a0
\n\tPrevents lateral threat movement<\/strong> by connecting entities to individual IT resources instead of extending access to the network as a whole.\u00a0
\n\tBlocks data loss<\/strong> by enforcing policies across all potential leakage paths (including encrypted traffic), protecting data in motion, data at rest, and data in use.<\/p>\n

Additionally, zero trust architecture overcomes countless other problems associated with firewalls, VPNs, and perimeter-based architectures by enhancing user experiences, decreasing operational complexity, saving your organization money, and more.\u00a0<\/p>\n

Zscaler ThreatLabz recommends our customers implement the following capabilities to safeguard against these type of attacks:<\/p>\n

Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access<\/a> to establish user-to-app segmentation policies based on the principles of least privileged access, including for employees and third-party contractors.
\n\tLimit the impact from a potential compromise by restricting lateral movement with identity-based microsegmentation<\/a>.
\n\tPrevent private exploitation of private applications from compromised users with full in-line inspection of private app traffic\u00a0with Zscaler Private Access<\/a>.
\n\tUse Advanced Cloud Sandbox<\/a> to prevent unknown malware delivered in second stage payloads.
\n\tDetect and contain attackers attempting to move laterally or escalate privileges by luring them with decoy servers, applications, directories, and user accounts with Zscaler Deception<\/a>.
\n\tIdentify and stop malicious activity from compromised systems by routing all server traffic through Zscaler Internet Access<\/a>.
\n\tRestrict traffic from critical infrastructure to an \u201callow\u201d list of known-good destinations.
\n\tEnsure that you are inspecting all SSL\/TLS<\/a> traffic, even if it comes from trusted sources.
\n\tTurn on Advanced Threat Protection<\/a> to block all known command-and-control domains.
\n\tExtend command-and-control protection to all ports and protocols with the Advanced Cloud Firewall<\/a>, including emerging C&C destinations.
\n“}]]\u00a0[[{“value”:”Introduction<\/p>\n

Ivanti, an IT management and security company, has issued a warning about multiple zero-day vulnerabilities in its VPN products exploited by Chinese state-backed hackers since December 2023. The initial disclosure involved two CVEs (CVE-2023-46805 and CVE-2023-21887) allowing a remote attacker to perform authentication bypass and remote command injection exploits. Ivanti released a patch which was immediately bypassed by two additional flaws (CVE-2024-21888 and CVE-2024-21893) that allows an attacker to perform privilege escalation and server-side request forgery exploits. <\/p>\n

The Cybersecurity & Infrastructure Security Agency (CISA) released an initial advisory as well as an emergency directive (ED-24-01) setting the timeline for mitigating the original two issues by 11:59PM EST January 22, 2024. In the wake of the two new vulnerabilities being discovered and no patches available, CISA issued a supplemental direction to the emergency directive instructing Federal Civilian Executive Branch agencies to disconnect all instances of Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) solutions no later than 11:59 PM EST February 2, 2024 from agency networks.
\nRecommendations<\/p>\n

For CVE-2023-46805 and CVE-2023-21887<\/p>\n

\tApply the patch: Ivanti released a patch to address the initial two vulnerabilities. Users are advised to apply this patch promptly to secure their systems.
\n\tFactory reset before patch: Ivanti recommends users to perform a factory reset on their appliance before applying the patch. This precautionary step aims to prevent potential threat actors from gaining upgrade persistence in the environment. <\/p>\n

For CVE-2023-21888 and CVE-2023-21893<\/p>\n

\tCISA supplemental direction (ED-24-01): CISA instructed federal agencies to disconnect all instances of Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) solutions from agency networks. Although the CISA guidance mandates this for FCEB agencies, CISA highly recommends all organizations to follow the recommended steps.
\n\tApply the patches as they become available following the recommended guidance.<\/p>\n

For all discovered issues<\/p>\n

\tPrioritize segmentation of all potentially impacted systems from enterprise resources to reduce the blast radius.
\n\tContinue threat hunting activity for all devices connected to and from the impacted Ivanti products.
\n\tMonitor identity management services and authentication anomalies.
\n\tActively audit privileged accounts that were recently created or updated.
\n\tRotate certificates, keys, and passwords for all connected or exposed systems and applications.<\/p>\n

Attribution<\/p>\n

UTA0178, China\u2019s government-backed hacking group motivated by espionage, is believed to be responsible for exploiting vulnerabilities in ICS VPN. The same group was attributed to the attacks concentrating on the Philippines using the MISTCLOAK, BLUEHAZE, and DARKDEW malware families.
\nHow It Works<\/p>\n

The attackers were observed exploiting two vulnerabilities CVE-2023-46805 (an authentication-bypass vulnerability with a CVSS score of 8.2) and CVE-2024-21887 (a command-injection vulnerability found in multiple web components with a CVSS score of 9.1) to gain access to ICS VPN appliances. Initial activity was observed as early as December 3, 2023. They were mostly living off the land but some tools were also deployed. <\/p>\n

Tools used by the threat actor include: <\/p>\n

\tPySoxy tunneler and BusyBox to enable post-exploitation activity
\n\tZIPLINE Passive Backdoor
\n\tTHINSPOOL Dropper
\n\tLIGHTWIRE
\n\tWIREFIRE, BUSHWALK, and CHAINLINE Web Shells
\n\tWARPWIRE<\/p>\n

Attack Chain<\/p>\n

Figure 1: Diagram depicting the attack chain<\/p>\n

Possible Execution<\/p>\n

\tInitial Exploitation: The attackers performed mass scanning for vulnerable devices and potential automated exploitation.
\n\tPersistence: The attackers deployed different variations of web shells on the targeted devices after successful exploitation. After gaining an initial foothold, the attacker could steal configuration data, modify existing files, download remote files, and reverse tunnel from the devices. In addition, the attackers backdoored configuration files and deployed additional tools.
\n\tReconnaissance: The attackers performed reconnaissance of the internal systems and applications through proxied connections.
\n\tCredential Stealing: The attackers injected a custom JavaScript-based malware, called WARPWIRE, into a login page used by the users to capture and exfiltrate plaintext credentials.
\n\tLateral Movement: The attackers used lateral movement using compromised credentials to connect to internal systems via RDP, SMB, and SSH.
\n\tEvidence Wiping: The attackers were observed wiping logs and even restoring the system to a clean state after deploying their payloads.
\n\tEvasion (Patch and Detection): In some instances, the attackers modified the integrity checker tool (ICT) to disable and prevent it from flagging any modifications or additions on the system as a measure to evade detection. The ZIPLINE tool used by the attackers is capable of bypassing ICT detection by adding itself to the exclusion_list used by the ICT tool. Moreover, as the attacks were discovered and publicized, the attackers quickly adapted by modifying the tools to evade detection. As a result, new variants of the initial-attack are being observed in more recent attacks.<\/p>\n

How Zscaler Can Help<\/p>\n

Zscaler\u2019s cloud native zero trust network access (ZTNA) solution gives users fast, secure access to private apps for all users, from any location. Reduce your attack surface and the risk of lateral threat movement\u2014no more internet-exposed remote access IP addresses, and secure inside-out brokered connections. Easy to deploy and enforce consistent security policies across campus and remote users.<\/p>\n

Zscaler Private Access\u2122 (ZPA) allows organizations to secure private app access from anywhere. Connect users to apps, never the network, with AI-powered user-to-app segmentation. Prevent lateral threat movement with inside-out connections.<\/p>\n

\tDeploy comprehensive cyberthreat and data protection for private apps with integrated application protection, deception, and data protection.<\/p>\n

Figure 2: VPN vulnerabilities open doors to cyber threats, protect against these risks with Zero Trust architecture.<\/p>\n

Zero trust is a fundamentally different architecture than those built upon firewalls and VPNs. It delivers security as a service from the cloud and at the edge, instead of requiring you to backhaul traffic to complex stacks of appliances (whether hardware or virtual). It provides secure any-to-any connectivity in a one-to-one fashion; for example, connecting any user directly to any application. It does not put any entities on the network as a whole, and adheres to the principle of least-privileged access. In other words, with zero trust, security and connectivity are successfully decoupled from the network, allowing you to circumvent the aforementioned challenges of perimeter-based approaches. Zero trust architecture:<\/p>\n

\tMinimizes the attack surface by eliminating firewalls, VPNs, and public-facing IP addresses, allowing no inbound connections, and hiding apps behind a zero trust cloud.
\n\tStops compromise by leveraging the power of the cloud to inspect all traffic, including encrypted traffic at scale, in order to enforce policies and stop threats in real-time.
\n\tPrevents lateral threat movement by connecting entities to individual IT resources instead of extending access to the network as a whole.
\n\tBlocks data loss by enforcing policies across all potential leakage paths (including encrypted traffic), protecting data in motion, data at rest, and data in use.<\/p>\n

Additionally, zero trust architecture overcomes countless other problems associated with firewalls, VPNs, and perimeter-based architectures by enhancing user experiences, decreasing operational complexity, saving your organization money, and more. <\/p>\n

Zscaler ThreatLabz recommends our customers implement the following capabilities to safeguard against these type of attacks:<\/p>\n

\tSafeguard crown jewel applications by limiting lateral movement using Zscaler Private Access to establish user-to-app segmentation policies based on the principles of least privileged access, including for employees and third-party contractors.
\n\tLimit the impact from a potential compromise by restricting lateral movement with identity-based microsegmentation.
\n\tPrevent private exploitation of private applications from compromised users with full in-line inspection of private app traffic with Zscaler Private Access.
\n\tUse Advanced Cloud Sandbox to prevent unknown malware delivered in second stage payloads.
\n\tDetect and contain attackers attempting to move laterally or escalate privileges by luring them with decoy servers, applications, directories, and user accounts with Zscaler Deception.
\n\tIdentify and stop malicious activity from compromised systems by routing all server traffic through Zscaler Internet Access.
\n\tRestrict traffic from critical infrastructure to an \u201callow\u201d list of known-good destinations.
\n\tEnsure that you are inspecting all SSL\/TLS traffic, even if it comes from trusted sources.
\n\tTurn on Advanced Threat Protection to block all known command-and-control domains.
\n\tExtend command-and-control protection to all ports and protocols with the Advanced Cloud Firewall, including emerging C&C destinations.<\/p>\n

Best Practices<\/p>\n

Follow CISA Directives<\/p>\n

Timely compliance with CISA\u2019s Emergency Directive on Ivanti Vulnerabilities is critical for minimizing the impact of these vulnerabilities.<\/p>\n

Implement zero trust architecture <\/p>\n

Enterprises must rethink traditional approaches to security, replacing vulnerable appliances like VPNs and firewalls. Implementing a true zero trust architecture, fortified by AI\/ML models, to block and isolate malicious traffic and threats is a critical foundational step. Prioritize user-to-application segmentation where you are not bringing users on the same network as your applications. This provides an effective way to prevent lateral movement and keep attackers from reaching crown jewel applications. <\/p>\n

Proactive Measures to Safeguard Your Environment<\/p>\n

In light of the recent vulnerabilities affecting Ivanti, it is imperative to employ the following best practices to fortify your organization against potential exploits.<\/p>\n

\tMinimize the attack surface: Make apps (and vulnerable VPNs) invisible to the internet, and impossible to compromise, ensuring an attacker can\u2019t gain initial access.
\n\tPrevent initial compromise: Inspect all traffic in-line to automatically stop zero-day exploits, malware, or other sophisticated threats.
\n\tEnforce least privileged access: Restrict permissions for users, traffic, systems, and applications using identity and context, ensuring only authorized users can access named resources.
\n\tBlock unauthorized access: Use strong multi-factor authentication (MFA) to validate user access requests.
\n\tEliminate lateral movement: Connect users directly to apps, not the network, to limit the blast radius of a potential incident.
\n\tShutdown compromised users and insider threats: Enable inline inspection and monitoring to detect compromised users with access to your network, private applications, and data.
\n\tStop data loss: Inspect data in motion and data at rest to stop active data theft during an attack.
\n\tDeploy active defenses: Leverage deception technology with decoys and perform daily threat hunting to derail and capture attacks in real-time.
\n\tCultivate a security culture: Many breaches begin with compromising a single user account via a phishing attack. Prioritizing regular cybersecurity awareness training can help reduce this risk and protect your employees from compromise.
\n\tTest your security posture: Get regular third-party risk assessments and conduct purple team activities to identify and harden the gaps in your security program. Request that your service providers and technology partners do the same and share the results of these reports with your security team. <\/p>\n

Conclusion<\/p>\n

In conclusion, Ivanti\u2019s VPN products face severe security threats due to multiple zero-day vulnerabilities exploited by state-backed hackers. The initial disclosure revealed critical CVEs allowing unauthorized access and remote command injections. Following Ivanti\u2019s patch release, two additional flaws enabling privilege escalation were swiftly exploited by the threat actors. <\/p>\n

CISA has responded with an advisory and emergency directive, setting deadlines for mitigating the original issues. With the discovery of new vulnerabilities and the absence of patches, CISA issued a supplemental directive, mandating Federal agencies to disconnect Ivanti ICS and IPS solutions from networks by 11:59pm EST, February 2, 2024.”}]]\u00a0<\/p>","protected":false},"excerpt":{"rendered":"

Introduction Ivanti, an IT management and security company, has issued […]<\/p>\n","protected":false},"author":0,"featured_media":2316,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-2365","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-zenith-zscaler"],"yoast_head":"\n