A China-linked state-backed threat actor has been exploiting two previously unknown vulnerabilities in the Ivanti Connect Secure VPN product to place web shells on corporate servers.

One of the zero-day bugs (CVE-2023-46805) is an improper authentication issue in the Ivanti Connect Secure and Ivanti Policy Secure gateways that could be exploited a remote attacker to bypass the authentication process. The other zero-day, tracked as CVE-2024-21887, is an OS command injection vulnerability that can be abused for remote arbitrary shell command execution.

The flaws affect all supported versions (9.x and 22.x) of Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways. Ivanti said it is working on security patches to address the flaws. In the meantime, the company has provided a workaround in the form of the mitigation.release.20240107.1.xml file to mitigate the risk of exploitation.

The attack was discovered by cybersecurity firm Volexity in December 2023 while investigating a security incident at one of its customers. Volexity found that an attacker was placing web shells on multiple internal and external-facing web servers using the exploit chain involving two above-mentioned zero-day flaws.

“When combined, these two vulnerabilities make it trivial for attackers to run commands on the system,” the researchers noted in a technical write-up on the incident.

The threat actor, tracked by Volexity as UTA0178, used the exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance. The attackers also altered legitimate ICS components and made changes to the system to evade the ICS Integrity Checker Tool and backdoored a legitimate CGI file on the ICS VPN appliance to allow command execution. The threat actor then exfiltrated credentials and used them to pivot to other internal systems.

According to Volexity, UTA0178 has been observed mostly performing reconnaissance and exploration of systems, looking through user files, configuration files, and testing access to systems. The threat actor has also deployed two variants of a custom web shell called Glasstoken to execute commands on compromised servers.

The researchers said they have not yet observed UTA0178 deploying any more advanced malware implants or persistence mechanisms outside of web shells.