eSentire’s Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Ivanti Zero-Day Vulnerabilities
Bottom Line: Ivanti has released additional details on existing vulnerabilities, as well as disclosing a new zero-day vulnerability. Public facing infrastructure continues to be a high value target for threat actors.
This week, Ivanti released the first round of security patches to address two known zero-day vulnerabilities that were disclosed on January 10th. In addition, Ivanti acknowledged a third zero-day vulnerability that is actively being exploited in real world attacks.
CVE-2023-46805 (CVSS: 8.2) and CVE-2024-21887 (CVSS: 9.1), were disclosed by Ivanti on January 10th, but exploited in the wild as early as December 2023. If exploited together, these vulnerabilities would allow a remote and unauthenticated threat actor to craft malicious requests and execute arbitrary commands on the system. On January 31st, Ivanti announced that security patches for certain versions of Ivanti Connect Secure were released; additional security patches will be released throughout February for the still unpatched impacted products. Ivanti and CISA also confirmed that threat actors had developed bypasses for both the Ivanti Integrity Checker tool and the previously recommended mitigations. In response to this, Ivanti released new mitigations that may be applied until security patches are installed.
Also on January 31st, Ivanti disclosed a third zero-day vulnerability, CVE-2024-21893 (CVSS: 8.2) Server-Side Request Forgery vulnerability. Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA devices are impacted by the vulnerability. If exploited, an unauthenticated threat actor may access restricted resources on vulnerable devices. The official advisory states that Ivanti is aware of “a small number of customers” that have been impacted via exploitation of this vulnerability. Security patches were released for some, but not all, impacted products.
In response to these events, eSentire released advisories addressing both the updates for CVE-2023-46805 and CVE-2024-21887 and the disclosure of CVE-2024-21893. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify all three vulnerabilities. Threat hunts related to real world attacks for both CVE-2023-46805 and CVE-2024-21887 are ongoing and detections are available via eSentire MDR for Network. The eSentire Threat Intelligence team continues to track all three vulnerabilities for additional details and detection opportunities.
eSentire Threat Intelligence Analysis:
As exploitation of all three of these vulnerabilities is ongoing, it is critical that organizations apply the relevant patches and current mitigations immediately. Organizations using Ivanti products will need to closely follow all Ivanti releases in order to apply the relevant security patches as they are made available. Outstanding versions are expected to receive security patches by February 26th, 2024.
When CVE-2023-46805 and CVE-2024-21887 were publicly disclosed on January 10th, exploitation was limited to a single threat actor group that performed targeted attacks. Only one day later, other threat actors had begun exploiting the vulnerabilities. At this time, CVE-2024-21893 is likely only being exploited by a single threat actor group, but the eSentire Threat Intelligence team assesses that more widespread exploitation in the immediate future is almost certain. It is critical that organizations mitigate the issue before widespread exploitation occurs, as the likelihood of impact will increase significantly.
Ivanti continues to be a high value target for threat actors. Organizations are strongly recommended to closely monitor Ivanti and other Internet facing applications, that may be exploited for initial access.
Volt Typhoon Disruption
Bottom Line: The U.S. Justice Department has successfully disrupted a Volt Typhoon APT campaign, targeting outdated routers in homes and offices. A defense in depth approach to security is critical as adversaries target End of Life devices to bypass security and execute attacks undetected.
The U.S. Justice Department has announced that it disrupted a state-sponsored cyber operation that was carried out by the Volt Typhoon APT group. Volt Typhoon is a known Chinese APT group that gained notoriety in 2023 after the group breached U.S. critical infrastructure in Guam. According to recent reports, similar activity has continued since.
First reported by Reuters on January 29th, the Justice Department has now confirmed that in December 2023, a court-authorized operation to disrupt a botnet made up of hundreds of U.S.-based small office/home office (SOHO) routers was carried out. These routers were being compromised, infected with KV Botnet malware, and used by Volt Typhoon to conceal the origin of attacks against both the U.S. and other victims. According to FBI Director Christopher Wray. “Volt Typhoon malware enabled China to hide as they targeted our communications, energy, transportation, and water sectors”. The majority of impacted routers were Cisco and NetGear devices; they were vulnerable to various exploits as they were End of Life (EoL), meaning that they were no longer maintained. While the compromise of routers allowed for stealthy attacks, primary attacks are believed to be conducted to establish long-term persistence in critical infrastructure, which could be used for destructive attacks in the event of future conflict.
In response to these events, the Department of Justice in coordination with CISA has released a Secure by Design alert related to this activity which includes best practices and recommendations for building secure devices. The alert outlines three core principles for developing secure by design devices:
- Take Ownership of Customer Security Outcomes
- Embrace Radical Transparency and Accountability
- Build Organizational Structure and Leadership to Achieve These Goals
The eSentire Threat Intelligence team continues to track Volt Typhoon activity and the eSentire product suite has a variety of detections for known Volt Typhoon tools and techniques.
eSentire Threat Intelligence Analysis:
The Justice Department's operation disrupted a significant cyber threat but also serves as a reminder of the importance of cybersecurity hygiene, including the need to update or replace outdated hardware, such as the “end of life” routers in this case. This operation also underscores the ongoing threat posed by state-sponsored cyber actors and the need for a robust and proactive defense strategy.
In the short term, the disruption of the KV Botnet is undoubtedly a significant victory in the fight against state-sponsored cyber threats. It demonstrates the effectiveness of proactive defense strategies and the importance of government and private sector collaboration in combating such threats. However, it’s important to understand that this is a battle in an ongoing war. APT groups, such as Volt Typhoon, are known for their persistence and adaptability. They continuously evolve their Tactics, Techniques, and Procedures (TTPs) to circumvent defenses and achieve their objectives, as such, similar activities from APT groups are expected to continue in the future. This underscores the need for continuous vigilance, regular system updates, and robust cybersecurity strategies.
A defense-in-depth strategy can significantly enhance an organization’s cybersecurity posture. This approach layers multiple security controls across the organization’s systems, creating a robust barrier against cyber threats. The key principle behind defense-in-depth is that no single security measure is foolproof. By implementing multiple layers of defense, organizations can ensure that if one control fails or is bypassed, others are in place to thwart the attack. In the context of threats like the KV Botnet, a defense-in-depth strategy could involve secure router configurations, regular hardware and software updates, network segmentation, and continuous monitoring for unusual network activity. By adopting a defense-in-depth strategy, organizations can better protect themselves against persistent and evolving threats from state-sponsored actors and other cyber adversaries.
Global Affairs Canada Breach
Bottom Line: Global Affairs Canada (GAC) has confirmed that a significant and prolonged breach impacted the government agency.
On January 30th, multiple news agencies reported on a security breach impacting the internal network of Global Affairs Canada (GAC). CBC News reportedly observed three internal emails sent to GAC staff. One email allegedly stated “Forensic work has also progressed to help us understand the scope of the data breach. The work is ongoing, but early results suggest that many (Global Affairs Canada) users may have been affected.” Another email purportedly said “[i]f you used a SIGNET (Secure Integrated Global Network) laptop between December 20th, 2023, to January 24th, 2024, to connect remotely (via VPN) to HQ GAC servers, you may be vulnerable. Email traffic and files on your H (personal) and I (shared) drives may have been compromised. ” The Virtual Private Network (VPN) system in question is managed by Shared Services Canada, a federal department created in 2011 responsible for delivering secure and reliable IT services to Government of Canada organizations.
A statement issued by Global Affairs Canada said a partial IT outage, impacting remote access to its network, was activated intentionally on January 24th to "address the discovery of malicious cyber activity." GAC continued by saying "[e]arly results indicate there has been a data breach and that there has been unauthorized access to personal information of users including employees.” They also confirmed that connectivity within GAC buildings was not impacted and remote employees have been given temporary workarounds. Shared Services Canada (SSC) along with the Canadian Centre for Cyber Security (CCCS), a division of the Communications Security Establishment (CSE) are actively investigating the breach and aim to restore full connectivity “as soon as possible.”
eSentire Threat Intelligence Analysis:
The persistent targeting of Global Affairs Canada (GAC) by threat actors, as evidenced by the significant data breaches in 2022 and again in 2023, underscores the critical need for continuous vigilance, robust cybersecurity measures, and adaptive strategies. These incidents highlight the evolving nature of cyber threats and the potential vulnerabilities within government systems, emphasizing the importance of protecting sensitive information and maintaining the integrity of these systems. The repeated breaches at GAC serve as a stark reminder of the ongoing cybersecurity challenges faced by government agencies worldwide.
The cyber-attack in January 2022 resulted in a multi-day shutdown of numerous GAC internal systems. While the actor responsible for this attack remains (as of writing) unnamed, a national security source told Global News that suspected Moscow-backed hackers were involved in the attack. “GAC has been the target of a cyber attack but it is not clear if the Russians, the alleged perpetrators, hacked into the system or were able to merely disrupt its service,” said the source. At the time of the attack, the Canadian government was a vocal supporter of Ukraine as Russia amassed troops on the Ukraine-Russia border.
In an interview with CTV News, Neil Bisson, Director of Global Intelligence Knowledge Network and Retired Intelligence Officer for Canadian Security Intelligence Service (CSIS), when asked about the targeting of Global Affairs Canada stated "Global Affairs Canada is located throughout the world. They have a lot of interactions with different diplomats and other individuals and they have an information gathering section through the GSRP (Global Security Reporting Program)." The type of information GAC contains includes diplomatic communications, policy documents, and potentially classified information related to Canada’s international relations and strategies. For threat actors, particularly those backed by nation-states, gaining access to this information could provide significant strategic advantages. It could offer insights into Canada’s foreign policy, negotiation strategies, and international alliances. Moreover, it could potentially expose vulnerabilities in Canada’s national security infrastructure.
While technical details of the attack are limited at this time, Global Affairs Canada confirmed their VPN system was vulnerable between December 20, 2023, and January 24, 2024. During this timeframe there have been a number of notable zero-day vulnerabilities in VPN appliances disclosed including Ivanti Connect Secure and Ivanti Policy Secure gateways, and Citrix NetScaler ADC and NetScaler Gateway, both of which have been confirmed to be exploited by threat actors in the wild. Additionally, on January 24th, CCCS released a security advisory to address Cisco vulnerabilities in multiple products; past Cisco zero-day vulnerabilities have been a popular target for threat actors.
It is unlikely for the Canadian government to publicly attribute this attack to a state threat actor as doing so would raise geopolitical tensions. However, both Chinese-aligned and Russian-aligned APT groups remain the primary candidates. As the Ukraine-Russian conflict wears on and Canada continues to support Ukraine, Russia may look to gain a strategic advantage by stealing information from GAC. Additionally, as reports on China’s attempted influence on Canadian federal elections gain notoriety, it is plausible to consider the possibility that the threat actors behind the cyberattacks on Global Affairs Canada (GAC) could be backed by China. The valuable and sensitive information that GAC has access to would be of strategic interest to any state actor seeking to influence Canadian politics or gain insights into Canada’s international relations and strategies.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
