077-5509948 Contact Us Under cyber attacks?

Cyber News 4 Feb 2024

Cyber News 4 Feb 2024

Last week cyber news

  • After a number of vulnerabilities were discovered in Ivanti, the US Cyber and Infrastructure Protection Agency (CISA) requires all government agencies to immediately disconnect all vulnerable devices from the network. Please note, the agency requires them to disconnect immediately and no later than the end of the day of 2.2.24. The return of the devices to the network will only take place after reinstalling the product, investigating the network, etc.
  • AnyDesk announced a significant maintenance work of 48 hours without prior notice. In the change made, the company states that the digital certificates (Code signing certificate) have been replaced. The company published an official announcement that attackers managed to penetrate some of the company’s systems.
  • The US government reveals the names of the members of the Cyber Avengers group and imposes broad sanctions on them. This is the group that damaged the controllers of the Israeli Unitronics company as well as carrying out several actions against various other organizations in Israel.

The National Cyber Directorate

Urgent Alert: Critical Vulnerabilities in Ivanti Products

This is the third update following Ivanti’s release of critical vulnerabilities found in its products.

Details:

1. 2 vulnerabilities have been identified in the Ivanti Connect / Policy Secure product, which allow remote takeover of the equipment without the need for identification through chaining. The vulnerabilities are actually exploited by attackers (Zero Day):

  • The first vulnerability is identified as CVE-2023-46805 and allows a bypass of the authentication mechanism. CVSS score 8.2.
  • The second vulnerability is identified as CVE-2024-21887, and allows command injection into equipment. CVSS score 9.1.
  • The concatenation of the two vulnerabilities may allow an attacker to run remote commands on the equipment without the need for authentication.
  • All supported versions of the products (9.x, 22.x) – vulnerabilities. In some cases, Ivanti Neurons ZTA Gatawey can also be attacked using these vulnerabilities.

2. CISA added the vulnerabilities to the catalog of known exploited vulnerabilities.

3. Simultaneously with the correction of these vulnerabilities, the company published information regarding 2 additional vulnerabilities, identified as CVE-2024-21893/21888, which may allow an authenticated user to raise privileges to administrator level or access resources to which access is limited.

4. CISA announced that various attack groups have greatly developed their ability to deal with the mitigations and detection methods of an attack that the company has offered so far, including identifying cases where manipulation was carried out against the external ICT tool.

Mitigation:

  1. For some of the supported versions the company has released relevant security updates. The versions are: Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3.
  2. The company recommends to all its customers to install the latest version, only after performing a Factory Reset on the equipment, in order to prevent a situation in which the attacker manages to survive the version update and maintain a grip on the equipment. Details of this process (Factory Reset) in link #6 below. Detail of performing a version upgrade in link #9 below. The company estimates that the entire process will take between 3 and 4 hours, and the organization must prepare accordingly.
  3. Out of an abundance of caution, we are recommending as a best practice that customers factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment.
  4. If for some reason an organization chooses not to install the security update, the latest mitigation file must be installed that includes treatment for all 4 vulnerabilities. The mitigation.release.20240126.5.xml file must be imported from the company’s equipment portal, as a temporary bypass only until the equipment can be updated. As before, this mitigation file also disables certain functionality in the equipment. See link #1 below.
  5. After installing this file, do not PUSH to install a new configuration or change an existing configuration in the equipment, and since this action may damage the security settings made by the bypass.
  6. We repeat and recommend to avoid using this bypass, except as a last resort, and to prefer examining and installing the security updates, even if a version upgrade is required, rather than using the latest mitigation file.
  7. CISA recommends continuing close monitoring of the equipment, and actively hunting for attacker activity on any network component that is accessible from the VPN server or that has detected communication between it and the VPN server. In addition, increased monitoring of identification services, use of different accounts (especially administrator accounts), and corporate identity management services is recommended. It is recommended to isolate these services as much as possible from the rest of the corporate network.

Cybersecurity services in CyberSafe

Stay up-to-date all the time with updates on vulnerabilities and tips
for dealing with cyber security attacks

Sign up to our newsletter

CyberSafe is an information security consulting company that protects sensitive, confidential business information from unauthorized access, disclosure, distribution, and destruction.

Phone: (+972) 077-5509948

Mobile: (+972) 052-2468869

Email: [email protected]

Address: 10 Hartom St. Har Hotzvim, Jerusalem

Twitter Linkedin-in

MAIN PAGES

OUR SERVICES

PROFESSIONAL ARTICLES

© 2023 Copyright - CyberSafe

Accessibility Toolbar

Upgrate your cyber security according to ISO27001:2022

The ISO27001:2022 standard brings with it new requirements to improve protection and security. This step strengthens the protection of your information and brings us to new levels of information protection, quality and services.