Following the discovery of zero day vulnerabilities in the Ivanti Secure Connect VPN we have observed what we believe to be the attempted exploitation and successful compromise of the product by combining multiple vulnerabilities.
A VPN allow individuals to connect and access protected resources on a company network and through compromising these two vulnerabilities, threat actors could quickly access a network and obtain domain administrator privileges.
Since the Ivanti VPN vulnerabilities were first reported back in January. the cyber security community as a whole have been sharing information on the tactics, techniques and procedures (TTPs) and Indicators of Compromise (IoC) that have been observed and this new observation from our Incident Response team details more about the exploitation and potential impact.
David Brown, Managing Consultant, Digital Forensics and Incident Response, NCC Group comments: “Since the vulnerabilities were discovered, we’ve been assisting numerous clients, helping them understand whether they may have been compromised. In this process we’ve identified what we believe are cases of threat actors attempting to combine the vulnerabilities to gain access to a network.”
“Our advice to anyone using Ivanti VPN is to follow patching guidance from the manufacturer and to carry out a thorough investigation, to hunting for indicators of compromise. Acting now is key.”
You can find further details and technical recommendations here on our Technical Research blog:
If you think you are experiencing an attack contact our 24/7 incident response team using this link.
To find out more about our Cyber Incident Response services https://www.nccgroup.com/uk/incident-response/
Contact
NCC Group Press Office
All media enquires relating to NCC Group plc.