Ivanti has reported that a security flaw, CVE-2021-22893, has been exploited by threat actors to gain unauthorized access to systems. According to CISA and FireEye, threat actors are actively using the exploit to install Web Shells on Ivanti Pulse Connect Secure products to further their abilities to target organizational systems. The remote code execution (RCE) affords attackers a variety of functions, including:
- Authentication bypass
- Multi-factor authentication bypass
- Password logging (credential theft)
- Persistence through patching
The CISA have identified post-administrator-level access activity:
- Performing network reconnaissance through Microsoft Windows command line processes to enumerate the compromised system and network, such as:
- Establishing a virtual private server (VPS) through a Windows Server Message Block (SMB) client to install a remote access tool (plink.exe).
- Creating a connection to a command and control server.
- Installing malware “inetinfo.exe” and using the MS Windows task scheduler function to run it.
- Establishing a backdoor in the form of a persistent Secure Socket Shell (SSH) tunnel/reverse SOCKS proxy and opening port 8100.
Ivanti reported that a patch for CVE-2021-22893 will be released in May of 2021 and has offered an integrity check tool that would help identify indicators of compromise associated with the exploit. This tool is limited in functionality and, because of this, a more comprehensive approach is needed to determine if the device has become compromised.
Secure Network Technology proposes a custom threat hunting engagement that focuses on identifying the exploit and possible exploit activity to facilitate rapid and accurate forensic examination. The methodology is composed of the following elements.
- Capture targeted artifacts and files on the domain controller using a remote forensic capture tool.
2. Search for evidence of compromised credentials
- Unauthorized authentications originating from the Pulse Connect Secure appliance IP address or the DHCP lease range of the Pulse Connect Secure appliance’s VPN lease pool.
- Escalation of privileges.
- New admin-level account creation.
- New main-level privileges assigned to existing accounts.
- Unauthenticated web requests from existing or new user accounts.
- Unauthorized applications and scheduled tasks.
- Unauthorized remote access tools.
The above items help identify both if a compromise was successful as well as the potential impact and severity the compromise could have on the organization. Secure Network is prepared to respond immediately: contact them now at 833-974-0015