In January 2024, a vulnerability was identified in Ivanti products, which may have been exploited as early as December 2023. Ivanti disclosed two vulnerabilities on January 10 in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) and two more on January 31.
As a result, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive for all federal agencies to disconnect any affected Ivanti products by 11:59 p.m. on Friday, February 2. This was done to ensure that such software was removed from federal systems and to raise awareness among IT and system administrators across the U.S., who should consider similar action even if their organizations are not federally connected.
Ivanti has since released patches for all four Common Vulnerabilities and Exposures (CVEs) for their most used products, and the company recommends performing a workaround for products that don't yet have an available patch.
Palo Alto Networks Unit 42 continues to monitor the situation closely. Read the Unit 42 Threat Brief for the latest information and product mitigations.
Configure firewalls to block attacks against known signatures
Known domains associated with this malicious activity are categorized as malicious by Advanced URL Filtering and DNS Security
Hunt for the existence of suspicious files on Ivanti servers and other endpoints
Look for lateral movement and other indicators
Ensure endpoints protect against post-exploitation activities
Prioritize Cortex XDR alerts from systems which are connected to affected Ivanti device
Identify and secure all external-facing instances of impacted applications
Insecure detections of Ivanti Connect Secure are enabled by default for all Cortex Xpanse customers.
Get a no-cost Unit 42 Ivanti Attack Surface Assessment
Engage Unit 42 for incident response assistance 24/7
This assessment by the Unit 42 team will help to quickly identify any exposure to these vulnerabilities, identify any compromised assets, locate at-risk assets within your organization, and provide a detailed Assessment Report and tailored mitigation recommendations.
If you are looking for an immediate VPN replacement, you can access our cloud-delivered ZTNA 2.0 solution, Prisma Access, free for 90 days with full deployment support included at no extra cost. If you are an existing Prisma Access customer, we can extend your implementation to additional users and sites at no cost for 90 days.
Disclaimer - This offer is promotional and is subject to availability. Due to the rapidly changing nature of this vulnerability, Palo Alto Networks reserves the right to update this offer.
Discover the latest insights into the critical vulnerabilities found in Ivanti's Connect Secure and Policy Secure products and get actionable strategies from Unit 42 security experts to better safeguard your organization.
|Cortex XDR and XSIAM
|Help protect against post-exploitation activities using the multi-layer protection approach.
|Customers can identify external-facing instances of impacted applications through the “Ivanti Connect Secure” and “Ivanti Policy Secure” attack surface rules.
|Next-Generation Firewall with the Advanced Threat Prevention security subscription
|Helps block the attacks with best practices via Threat Prevention signatures. Advanced Threat Prevention could proactively detect this vulnerability before the public vulnerability disclosure.
|Includes added detection for the cryptominers used in these attacks.
|Advanced URL Filtering and DNS Security
|Help categorize as malicious known domains associated with this activity.
|Advanced URL Filtering
|Helps categorize exploit and scanning attempts as Scanning Activity.
If you need help with a compromise or are looking for a proactive assessment to lower your risk, we can help you.