Every single Ivanti product (including their SSL-VPN) should be considered a critical threat. The fact that this company is allowed to continue to sell their malware dressed-up as "security solutions" is a disaster. How they haven't been sued into bankruptcy is something I'll never understand.
There is some dark amusement about an MDM and general enterprise management and security systems being used as the attack vector. Ivanti in particular has proven itself to be swiss cheese as of late, and would be bankrupt if people cared about security rather than it being a compliance/insurance checkbox that truly _nobody_ cares about in practice.
Semi-related: with the recent much-touted cybersecurity improvements of AI models (as well as the general recent increase in tensions and conflicts worldwide) I wonder just how much the pace of attacks will increase, and whether it’ll prove to be a benefit or a disadvantage over time. Government sponsored teams were already combing through every random weekend project and library that somehow ended in node or became moderately popular, but soon any dick and tom will be able to do it at scale for a few bucks. On the other hand, what’s being exploited tends to get patched in time - but this can take quite a while, especially when the target is some random side project on github last updated 4 years ago.
My gut feeling is that there will be a lot more exploitation everywhere, and not much upside for the end consumer (who didn’t care about state level actors anyway). Probably a good idea to firewall aggressively and minimize the surface area that can be attacked in the first place. The era of running any random vscode extension and trust-me-bro chrome extension is likely at an end. I’m also looking forward to being pwned by wifi enabled will-never-be-updated smart appliances that seem to multiply by the year.
Can't help but notice the weird choice of illustration in TFA.
Ivanti is a US company. But if you have never heard of them, the dragon-resembling creature in the illustration (representing the dormant backdoor?) makes it look like the incident is somehow related to China.
Why the fuck do people still use Ivanti, and while we're at it, Cisco gear? How many backdoors and vulnerabilities can these two companies produce until they get put out of business?
If you ask me... both these companies should be treated similarly to misbehaving banks: banned from acquiring new customers, an external overseer installed, and only when the products do not pose a threat to the general public any more, they can acquire new customers again.
Ivanti is a necrotic acquirer of things. Kind of like a poor version of Microfocus or Broadcom pre-VMware and pre-AI hype. (Broadcom even bought CA, which was the ultimate company of this type.)
This product was MobileIron, which was actually a pretty decent MDM platform, except like most acquisitions like this I'm sure they purged anyone with a clue. Unlike something like Pulse VPN, MDM is a sticky product and difficult/time-consuming to transition from.
This campaign worked because the operator knew exactly what most detection stacks look for: execution, lateral movement, data exfil. They did none of that. They dropped a loader, confirmed it worked, and left. No behavioral triggers, no alerts, nothing for a SOC analyst to chase.
That's the gap with point-in-time security and checkbox compliance. You run your scan, get a clean report, move on. Meanwhile something like this sits in memory waiting for a buyer. The checklist says "run vulnerability scans quarterly" not "detect dormant in-memory class loaders planted by initial access brokers." Continuous monitoring that baselines normal behavior and flags deviations, even subtle ones like a new JSP file in a path that shouldn't change, is the only way to catch this. But most orgs aren't doing it because their compliance framework doesn't require it.
11 comments
[ 1.9 ms ] story [ 33.1 ms ] threadhttps://hub.ivanti.com/s/article/Security-Advisory-Ivanti-En...
Ivanti doesn't explain how this happened or what mistake led to this exploit being created.
Semi-related: with the recent much-touted cybersecurity improvements of AI models (as well as the general recent increase in tensions and conflicts worldwide) I wonder just how much the pace of attacks will increase, and whether it’ll prove to be a benefit or a disadvantage over time. Government sponsored teams were already combing through every random weekend project and library that somehow ended in node or became moderately popular, but soon any dick and tom will be able to do it at scale for a few bucks. On the other hand, what’s being exploited tends to get patched in time - but this can take quite a while, especially when the target is some random side project on github last updated 4 years ago.
My gut feeling is that there will be a lot more exploitation everywhere, and not much upside for the end consumer (who didn’t care about state level actors anyway). Probably a good idea to firewall aggressively and minimize the surface area that can be attacked in the first place. The era of running any random vscode extension and trust-me-bro chrome extension is likely at an end. I’m also looking forward to being pwned by wifi enabled will-never-be-updated smart appliances that seem to multiply by the year.
“We are aware” and “very limited” are likely (in our opinion, this is probably not fact, etc, etc) to be doing a significant amount of lifting.
For avoidance of doubt, the following versions of Ivanti EPMM are patched:
None
----
Ah, this company is a security joke as most software security companies are.
Ivanti is a US company. But if you have never heard of them, the dragon-resembling creature in the illustration (representing the dormant backdoor?) makes it look like the incident is somehow related to China.
If you ask me... both these companies should be treated similarly to misbehaving banks: banned from acquiring new customers, an external overseer installed, and only when the products do not pose a threat to the general public any more, they can acquire new customers again.
This product was MobileIron, which was actually a pretty decent MDM platform, except like most acquisitions like this I'm sure they purged anyone with a clue. Unlike something like Pulse VPN, MDM is a sticky product and difficult/time-consuming to transition from.
That's the gap with point-in-time security and checkbox compliance. You run your scan, get a clean report, move on. Meanwhile something like this sits in memory waiting for a buyer. The checklist says "run vulnerability scans quarterly" not "detect dormant in-memory class loaders planted by initial access brokers." Continuous monitoring that baselines normal behavior and flags deviations, even subtle ones like a new JSP file in a path that shouldn't change, is the only way to catch this. But most orgs aren't doing it because their compliance framework doesn't require it.