Over 2,100 Ivanti VPNs Compromised: The GIFTEDVISITOR Webshell Threat

Recently, the cyber intelligence firm Volexity has detected many malicious exploitation activities using critical vulnerabilities in Ivanti Connect Secure VPN appliances.

It was on January 15, 2024, that Volexity first detailed the exploitation of two critical vulnerabilities in Ivanti Connect Secure VPN: CVE-2024-21887 and CVE-2023-46805. This revelation was the result of extensive monitoring, which showed a marked increase in attacks immediately following the public release of proof-of-concept code for these exploits. This spike in criminal activity signified a new phase in cyber threat, with attackers leveraging the vulnerabilities to compromise a growing number of devices.

A key discovery in Volexity’s investigation was the GIFTEDVISITOR webshell. Initially, over 1,700 compromised Ivanti Connect Secure VPN devices were identified using this backdoor. Further scans revealed an additional 368 appliances infected, bringing the total to over 2,100. The GIFTEDVISITOR webshell has become a significant tool in the arsenal of cybercriminals, enabling them to gain unauthorized access and control over many devices.

In a sophisticated move to evade detection, attackers affiliated with UTA0178 modified the in-built Integrity Checker Tool of the Ivanti Connect Secure VPN appliance. This modification ensured the tool would falsely report no discrepancies, regardless of the number of mismatched or new files. This tactic highlights the cunning and resourcefulness of cyber adversaries in masking their digital footprints.

The exploitation didn’t stop at mere unauthorized access. Volexity observed attackers deploying XMRig cryptocurrency miners through downloads from attacker-controlled URLs. This activity compromises the security of the affected systems and turns them into unwitting participants in cryptocurrency mining operations, funneling profits to the attackers’ wallets.

Volexity also brought to light a critical issue organizations face when attempting to restore compromised Ivanti Connect Secure VPN appliances. Many organizations, in their efforts to mitigate the vulnerabilities, inadvertently left their systems vulnerable to re-compromise. This misstep underscores the importance of understanding the proper order of applying mitigations and restoring systems.

It is critically important that organizations running the Ivanti Connect Secure VPN appliance ensure the following:

  • The mitigation is applied in the proper order, applying it after importing any backup configurations.
  • The external Integrity Checker Tool results do not show signs of compromise.
  • Once a patch becomes available, it is applied as soon as possible.