Ivanti Zero Day – Threat Actors observed leveraging CVE-2021-42278 and CVE-2021-42287 for quick privilege escalation to Domain Admin
Authors: David Brown and Mungomba Mulenga
TL;dr
NCC Group has observed what we believe to be the attempted exploitation of CVE-2021-42278 and CVE-2021-42287 as a means of privilege escalation, following the successful compromise of an Ivanti Secure Connect VPN using the following zero-day vulnerabilities reported by Volexity1 on 10/01/2024:
- CVE-2023-46805 – an authentication-bypass vulnerability with a CVSS score of 8.2
- CVE-2024-21887 – a command-injection vulnerability found into multiple web components with a CVSS score of 9.1
By combining these vulnerabilities threat actors can quickly access a network and obtain domain administrator privileges.
New TTPs
There is a wealth of excellent information from the Cybersecurity community detailing the subsequent tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) that have been observed since the public reporting on the Ivanti zero day. This blog focuses on the exploitation of specific CVEs, that when used together could be particularly damaging.
T1068 – Privilege Escalation – Exploitation for Privilege Escalation
NCC Group has assisted a number of clients who are dealing with the Ivanti Connect Secure VPN zero-day and in the process of doing so we identified what we believe to be follow on actions that attempted to leverage CVE-2021-422782 and CVE-2021-422873.
These are vulnerabilities in Active Directory that when combined can allow a regular user to impersonate a domain administrator.
In order to successfully exploit these in an environment there will need to be a domain controller present that is not patched against this vulnerability, the threat actor would need access to a regular domain user account and a machine user account quota above zero.
This activity shows that threat actors are quickly attempting lateral movement and privilege escalation once they have gained a foothold on a compromised Ivanti Connect Secure VPN.
Detection
If you have Ivanti Connect Secure VPNs in use, then it is advised to do the following to check if you are vulnerable to this attack or if it has been attempted in your organization:
- Check that all of your domain controllers are patched against CVE-2021-42278 and CVE-2021-42287.
- Check domain controller logs for suspicious activity coming from the Ivanti appliance, specifically the following:
- Windows Security Log Event ID 5156 – The windows filtering platform has allowed a connection
- Windows Security Log Event ID 4673 – A privileged service was called
- Windows Security Log Event ID 4741 – A computer account was created
- Windows Security Log Event ID 4724 – An attempt was made to reset an account’s password
- Windows Security Log Event ID 4742 – A computer account was changed
- Windows Security Log Event ID 4781 – The name of an account was changed
If you have been affected by the Ivanti vulnerability and see above activity that coincides with compromise you should invoke your incident response plan immediately and investigate further.
Mitigation
The good news is that mitigation for this issue is relatively straightforward. The following should be considered:
- Patch all domain controllers against the underlying CVEs
- Set the machine account quota for standard users to zero
Please ensure to test the impact of any changes within your environment before applying mitigations.
Conclusion
It appears that threat actors are rapidly stringing CVE’s together to take advantage of the access the Ivanti Zero day has provided. NCC Group has not been able to attribute the attacks at this time or define what the end objectives were, as the attacks were interrupted.
The Ivanti issue does present an opportunity for initial access brokers to plant backdoors in environments however, leading to the possibility of follow on action taking place weeks or months after the initial compromise of the Ivanti Connect Secure VPN.
It underscores how important it is that there is a thorough investigation of the wider environment if an Ivanti compromise is detected.
If you think you are experiencing an attack contact our 24/7 incident response team using this link.