Cyber Threats
Protecting Your Network Security from Ivanti Zero-Day Threat
The overlooked vulnerability with real impacts
The Ivanti Zero-Day vulnerability may not be getting the attention it deserves today, yet it carries substantial real-world impacts. A critical issue with this vulnerability is that the primary mitigation strategy is currently to apply patches unless you have IPS technology protecting your VPN server. As of Jan 18th is has been know that the best course of action is to take an imaged backup of your Ivanti Gateway and rebuild fully to the latest build, also the latest information is showing the original Threat Actors in the exploit have expanded as others are likely abusing the public POC that was released on Jan 16th. Please get more information here on the steps needed to remediate. Recovery Steps Related to CVE-2023-46805 and CVE-2024-21887
However, the main concern extends beyond this single vulnerability. Reflecting on last year, the number of VPN vulnerabilities and their successful exploitations were significant. These types of vulnerabilities are often overlooked, especially in environments like businesses, hospitals, schools, or government entities, where administrators may not be fully engaged with the daily threat landscape. A more effective approach is needed.
So, what can we do? Traditional VPNs provide access to our entire network in an uncontrolled manner. A more secure alternative could be to create a private network that allows access only to specific resources, as determined by IT professionals. The principle of least privilege is ideal, but achieving this is challenging due to various internal factors in every organization. Consider, for instance, the SIM swap attack on the SEC X account. Such critical phone numbers should require multiple layers of authentication before allowing a SIM swap.
Imagine a scenario where users can access resources without a VPN, perhaps through a web portal that is constantly monitored and managed for suspicious behavior. At the slightest hint of trouble, the security system could shut down the portal or the user account or even block the device.
Trend Micro™ Zero Trust Secure Access could revolutionize how businesses approach network security. This framework's capabilities are currently beyond what we can fully appreciate. For example, I can set up my Remote Desktop Protocol (RDP) Clients for access and authentication. If something goes wrong, both network access and device and user accounts are blocked.
This approach could prevent a single vulnerability from turning into a major security crisis. Additionally, I can define parameters for an acceptable device risk score. If a device is potentially vulnerable or compromised, its network access, along with all associated user accounts, can be immediately restricted. Adopting a zero-trust approach may require effort, but it is a necessary and crucial measure, given the direction in which our world is moving.
Regarding the Ivanti vulnerability, let's hypothesize with a Trend Micro scenario. Suppose a Trend Vision One ™ customer receives an attack surface notification about the Ivanti vulnerability and its impact, advising them to patch. This vulnerability has been exploited since December 3, 2023, but only came to light in January 2024. Customers could then use Trend Micro™ Zero Trust Secure Access to adjust their access rules to essential apps and web applications.
This modular proxy setup could thwart incoming attacks and prevent lateral movements in the network following a breach by implementing monitoring and action playbooks for encrypted network traffic.