Cytracom Security Summary: Ivanti VPN Exploit

February 29, 2024

The Cybersecurity and Infrastructure Security Agency (CISA) published a bulletin about threat actors actively exploiting a combination of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure VPN gateways, allowing an attacker to completely bypass authentication and gain a permanent backdoor into corporate networks.

These products are “legacy” VPN appliances typically used in conjunction with or behind a corporate firewall, effectively “behind the castle walls” of a traditional network. Vulnerabilities to these appliances allow attackers to gain access to the corporate network and further launch attacks on internal applications or data. These kinds of internal applications are often vulnerable to hackers and, as such, put behind a VPN with the expectation of security. 

We’ve outlined more information on the CISA recommendations below:

CISA Recommendations Key Challenge ControlOne Capability
Limit outbound internet connections from SSL VPN appliances to restrict access to required services. VPN appliances used for “full tunnel” use cases must have unrestricted access to the internet and this advice is impractical for all but the most limited VPN use cases. ControlOne allows traffic only to resources defined by policy.
Keep all operating systems and firmware up to date. Firmware updates to VPN Appliances and their associated VPN clients are difficult to coordinate (when to cause downtime) and often ignored until it's too late. ControlOne is a cloud service; no administrative maintenance is required to keep an account up to date. Also, ControlOne enforces the security posture of connected devices, enforcing updated Operating Systems, the presence of RMM/XDR solutions, geographic restrictions, and more.
Limit SSL VPN connections to unprivileged accounts. Legacy VPN systems often have privileged (administrator) accounts lingering on the system. ControlOne enforces identity-based networking and requires Multifactor Authentication by default.
  User accounts can be difficult to manage as each VPN appliance must be inspected individually and often admin accounts are NOT included in central authentication.  

ControlOne user management is fully cloud-based and integrates tightly with Microsoft AD.

ControlOne supports role-based access and Administrative accounts do not have remote-access privileges by default. Remote access can be disabled for any user for any customer in seconds.

To learn more about ControlOne, get in touch with us today!

Read the full CISA advisory here.

To learn more about our security posture and request access to our security documentation, visit the Cytracom Trust Center.