CISA Warns of Ivanti Zero-Day Exploits

CISA Warns of Ivanti Zero-Day Exploits

Urgent Mitigation Measures Mandated by CISA for Federal Agencies

In a significant development, the Cybersecurity and Infrastructure Security Agency (CISA) has issued the first emergency directive of the year, mandating Federal Civilian Executive Branch (FCEB) agencies to urgently address two zero-day vulnerabilities affecting Ivanti Connect Secure and Ivanti Policy Secure. The vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, have been actively exploited by multiple threat actors since December, raising widespread concerns about the security of federal systems.

Exploits Enable Lateral Movement and Persistent Access

The exploits, when combined, enable threat actors to navigate laterally within a targeted network, exfiltrate sensitive data, and establish persistent access through the deployment of backdoors. With Ivanti yet to release security patches to rectify these vulnerabilities, CISA has deemed the situation to pose an unacceptable risk to FCEB agencies, prompting the issuance of emergency directive ED 24-01.

Mitigation Measures Outlined in the CISA Directive

As outlined in the directive, federal agencies are now obligated to promptly implement Ivanti’s publicly disclosed mitigation measures to thwart ongoing attack attempts. In addition to these measures, agencies must leverage Ivanti’s External Integrity Checker Tool and adhere to a set of comprehensive actions outlined in the directive.

Immediate Reporting and Removal of Compromised Products

First and foremost, agencies are required to report any indications of compromise promptly to CISA through the designated communication channel at [email protected]. Subsequently, agencies are instructed to remove compromised Ivanti products from their networks and initiate a thorough incident analysis. This includes preserving data from compromised devices through the creation of forensic hard drive images while actively searching for indications of further compromise.

Restoration Steps and Security Measures

To bring a compromised product back into service, agencies are directed to reset the device with the affected Ivanti solution software to factory default settings and remove the attack vector by applying Ivanti’s provided mitigations. The directive also outlines a series of additional steps to fully restore impacted appliances, including the revocation and reissuance of stored certificates, resetting of administrative enable passwords, resetting of stored API keys, and the resetting of passwords for any local users defined on the gateway.

Timely Application of Updates and Reporting Requirements

Furthermore, agencies are mandated to apply updates addressing the two vulnerabilities referenced in the directive as soon as they become available, with a strict deadline of no later than 48 hours following their release by Ivanti. One week after the issuance of the directive, agencies are required to report to CISA, using the provided template, a complete inventory of all instances of Ivanti Connect Secure and Ivanti Policy Secure products on agency networks. This report must include details on the actions taken and results achieved in response to the CISA directive.

Monitoring Efforts Highlight Severity of the Situation

The severity of the situation is underscored by the monitoring efforts of threat intelligence entities. Shadowserver, a threat monitoring service, currently tracks over 16,200 ICS VPN appliances exposed online, with more than 4,700 located in the United States. Notably, these exposed Ivanti ICS devices have become the target of active exploitation, with over 420 hacked devices spotted on January 18 alone.

Advanced Exploitation Tactics and Identified Threat Actors

One of the threat actors involved in the attacks, suspected to be a Chinese state-backed group tracked as UTA0178 and UNC5221, has already backdoored over 2,100 Ivanti appliances using a GIFTEDVISITOR webshell variant, according to reports from threat intelligence company Volexity. Mandiant, during its investigation into these attacks, discovered the deployment of five custom malware strains on breached customers’ systems. These strains have been designed to steal credentials, deploy webshells, and introduce additional malicious payloads.

Broad Spectrum of Victims and Varied Industry Sectors

The threat actor behind these attacks has been actively harvesting and stealing account and session data, posing a significant risk to the compromised networks. Victims identified so far include government and military departments worldwide, national telecom companies, defense contractors, technology companies, banking and finance organizations, worldwide consulting outfits, and aerospace, aviation, and engineering firms. The targeted entities vary widely in size, ranging from small businesses to some of the largest organizations globally, including multiple Fortune 500 companies spanning various industry sectors.

Cryptocurrency Mining and Malicious Payloads

Volexity and GreyNoise, in their monitoring efforts, have observed attackers deploying XMRig cryptocurrency miners and Rust-based malware payloads. The dynamics of the situation highlight the critical need for agencies to adhere promptly and comprehensively to the directives outlined in ED 24-01 to mitigate the risks posed by these zero-day vulnerabilities.

Collaborative Approach Emphasized

In conclusion, the emergency directive issued by CISA in response to the zero-day vulnerabilities affecting Ivanti appliances reflects the seriousness of the situation and the urgency required in mitigating the risks posed by active exploitation. The comprehensive set of actions outlined in the directive aims to guide federal agencies in promptly addressing the vulnerabilities, securing their networks, and preventing further compromise. The ongoing monitoring efforts by threat intelligence entities emphasize the evolving nature of the threat landscape, underscoring the importance of a proactive and collaborative approach to cybersecurity at both the national and organizational levels.

Stay Informed and Stay Secure with the Latest Hacker News: Your Daily Source for Cutting-Edge Cybersecurity Updates!

Kali Linux 2023.4 Releases with New Hacking Tools

Kali Linux 2023.4

The latest iteration of Kali Linux, version 2023.4, has been unveiled by Offensive Security as the year concludes and the holiday season approaches. Kali Linux, a Debian-derived operating system, is specifically tailored for ethical hacking and penetration testing, positioning itself as an advanced, free, and open-source OS within this niche.

Offensive Security diligently releases annual updates for Kali Linux, a Linux-based distribution geared towards penetration testing and hacking activities. While its primary focus isn’t on end-user features, the new release introduces fresh platforms and substantial improvements behind the scenes.

Kali Linux boasts an array of Information Security tools meticulously designed for various penetration testing endeavors, encompassing security research, reverse engineering, red team testing, penetration testing, computer forensics, and vulnerability management.

In addition to general news and features, the 2023.4 release includes updates to packages, featuring new tools and upgrades. Noteworthy highlights include:

New Platforms and Features:

  1. Cloud ARM64: ARM64 support is now available on Amazon AWS and Microsoft Azure marketplaces.
  2. Vagrant Hyper-V: Vagrant now supports Hyper-V.
  3. Raspberry Pi 5: Kali Linux is now compatible with the latest Raspberry Pi foundation device.
  4. GNOME 45: Kali’s theme is updated to match the latest versions.
Kali Linux 2023.4

Internal Infrastructure:

Gain insights into the behind-the-scenes workings with mirror bits.

New Tools in Kali Linux 2023.4:

  1. cabby: Implementation of a TAXII client.
  2. cti-taxii-client: TAXII 2 client library.
  3. enum4linux-ng: Next-generation version of enum4linux with additional features (a Windows/Samba enumeration tool).
  4. exiflooter: Discovers geolocation on all image URLs and directories.
  5. h8mail: Email OSINT and password breach hunting tool.
  6. Havoc: Modern and malleable post-exploitation command and control framework.
  7. OpenTAXII: TAXII server implementation.
  8. PassDetective: Scans shell command history to detect mistakenly written passwords, API keys, and secrets.
  9. Portspoof: Emulates services by keeping all 65535 TCP ports open.
  10. Raven: Lightweight HTTP file upload service.
  11. ReconSpider: Most Advanced Open Source Intelligence (OSINT) Framework.
  12. rling: RLI Next Gen (Rling), a faster multi-threaded, feature-rich alternative to rli.
  13. Sigma-Cli: Lists and converts Sigma rules into query languages.
  14. sn0int: Semi-automatic OSINT framework and package manager.
  15. SPIRE: SPIFFE Runtime Environment – a toolchain of APIs for establishing trust between software systems.

ALSO READ: KoreLogic Malware: A New Threat to Microsoft Exchange Servers

Miscellaneous Changes:

  1. The newsletter provider has been changed to SubStack.
  2. The VMware issue in Offensive Security’s pre-gen VMs is fixed.
  3. KDE has issues in virtual machines, with functions like shared clipboard not working.
  4. Support for the QT6 themes was added.
  5. Python v3.12 PIP install change is coming soon.

ARM Updates:

  1. The Raspberry Pi Zero W image now starts in the command line interface, not X.
  2. Remote network configuration access is fixed.
  3. For the ARM64 platform, eyewitness is now available.

New Kali Mirrors:

  1. Japan:
  2. Serbia:

How to Get Kali Linux 2023.4:

Existing Kali Linux users can swiftly upgrade to the latest version by following these steps:

echo "deb kali-rolling main contrib non-free non-free-firmware" | sudo tee /etc/apt/sources.list
sudo apt update && sudo apt -y full-upgrade
cp -vrbi /etc/skel/. ~/
[ -f /var/run/reboot-required ] && sudo reboot -f

To check the current version:

grep VERSION /etc/os-release
uname -v
uname -r

To download the latest version of Kali Linux (Kali Linux 2023.4), visit the official website.

For those new to Kali Linux, the latest version (Kali Linux 2023.4) can be downloaded in 32-bit or 64-bit from the official website.

Follow us for the latest news related to Cyber Security and Hacking.

KoreLogic Malware: A New Threat to Microsoft Exchange Servers

Cybersecurity researchers have recently uncovered a new strain of malware targeting Microsoft Exchange servers, raising concerns among businesses and organizations that rely on these critical infrastructure components. This sophisticated malware, dubbed “KoreLogic,” employs a multi-pronged attack strategy that combines phishing, fileless execution, and encryption techniques to infiltrate and compromise Exchange servers.

The Threat Landscape: Unveiling KoreLogic

KoreLogic stands out as a particularly advanced form of malware due to its stealthiness and ability to evade traditional security measures. It employs fileless execution, meaning that it doesn’t need to drop any executable files on the system, making it harder for antivirus software to detect and block its activity. Instead, it utilizes legitimate Windows processes to carry out its malicious code.

The malware’s lifecycle begins with a phishing campaign targeting IT administrators, the typical gatekeepers of Exchange server access. Attackers craft convincing emails disguised as legitimate communications from trusted sources, often containing malicious links or attachments. Once an unsuspecting administrator clicks on the infected link or opens the malicious attachment, the malware payload is silently downloaded onto the server.

The Attack Vector: Phishing and Fileless Execution

Once on the system, KoreLogic employs a number of techniques to gain persistence and escalate its privileges. It utilizes DLL sideloading, a method of loading malicious code into legitimate processes, to avoid detection. Additionally, it utilizes Windows PowerShell scripts to execute its malicious functions, making it harder for security software to pinpoint the malware’s origin.

The Malicious Goals: Data Theft and Encryption

The ultimate goal of KoreLogic is to steal sensitive data from the compromised Exchange server and encrypt it, rendering it inaccessible to the server’s legitimate users. This data could include emails, contacts, calendars, and other valuable information. Once the data is encrypted, the attackers typically demand a ransom payment in exchange for the decryption key.

Protecting Against KoreLogic: Prevention and Mitigation Strategies

Given the sophistication of KoreLogic, it’s crucial for Exchange server administrators to implement robust cybersecurity measures to minimize the risk of infection. Here are some critical steps to safeguard Exchange servers:

  1. Phishing Awareness Training: Educate employees about phishing tactics and how to identify suspicious emails or attachments. Encourage them to report any suspicious emails or attachments to IT administrators immediately.
  2. Regular Patching: Keep Exchange servers up-to-date with the latest security patches released by Microsoft. These patches often address vulnerabilities that could be exploited by malware like KoreLogic.
  3. Two-Factor Authentication (2FA): Implement 2FA for Exchange server logins. This adds an extra layer of security by requiring an additional verification step beyond just a password, making it more difficult for attackers to gain unauthorized access.
  4. Network Segmentation: Segment Exchange servers away from the rest of the network to limit their exposure to external threats. This can help contain the damage if an infected server is compromised.
  5. Data Backup and Recovery: Regularly backup Exchange server data to ensure that there’s a copy of the data in case it’s encrypted or corrupted by malware. This will allow for quick restoration in case of an attack.
  6. Security Monitoring and Incident Response: Implement network monitoring and intrusion detection systems to detect suspicious activity on Exchange servers. Have a well-defined incident response plan in place to quickly identify, isolate, and remediate attacks.

In conclusion, the emergence of KoreLogic underscores the importance of vigilance and proactive cybersecurity measures in protecting critical infrastructure like Microsoft Exchange servers. By implementing the recommended security practices and staying informed about the latest threats, organizations can significantly reduce their risk of falling prey to this sophisticated malware and its detrimental consequences.