Day 1

From Zero Day to Mass Exploitation: Ivanti VPN

Law Enforcement
Session complexity:
15:00 - 15:25

“During the second week of December 2023, Volexity detected suspicious lateral movement on the network of one of its Network Security Monitoring service customers. Further investigation showed that the attacker placed webshells on multiple internal and external-facing web servers. By examining the memory of compromised servers and network traffic, all paths led to a so-called edge device

— an Ivanti Connect Secure VPN appliance
—as the root cause of the intrusion.

Working with Ivanti, Volexity discovered the compromise was the result of the exploitation of two zero-day vulnerabilities:
• CVE-2023-46805 – an authentication-bypass vulnerability with a CVSS score of 8.2
• CVE-2024-21887 – a command-injection vulnerability found in multiple web components with a CVSS score of 9.1 This talk will highlight the memory forensic analysis and threat intelligence chase that led to the discovery of the two zero-days and the subsequent mass exploitation of Ivanti Connect Secure VPN appliances globally. It will also highlight the challenges of performing forensics on these devices. In this presentation, Volexity will reveal the tricks used by UTA0178, the first threat actor to exploit the vulnerabilities and give insight into other threat actors that quickly adopted the vulnerabilities in the race to exploit these devices en masse.”

Speakers in this session

Robert Jan Mora