← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
WHITE UTA0178 AlienVault 2024-03-01 Modified: 2024-03-31
37
IOCs
MEDIUM VOLUME
Cyber threat actors are actively exploiting multiple vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways that can be chained to bypass authentication, craft malicious requests, and execute arbitrary commands. This enables threat actors to implant web shells for persistence and harvest credentials stored on compromised devices.
vpncve-2023-46805cve-2024-21888web shelllightwirecve-2024-21893credentialschainlinecve-2024-21887cve-2024-22024glasstokenivantigiftedvisitorbushwalk
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
GLASSTOKEN GIFTEDVISITOR BUSHWALK LIGHTWIRE CHAINLINE
Indicators of Compromise (37)
All CVE FileHash-MD5 FileHash-SHA256 YARA domain hostname
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2023-46805 2024-03-01
CVE CVE-2024-21887 2024-03-01
CVE CVE-2024-21888 2024-03-01
CVE CVE-2024-21893 2024-03-01
CVE CVE-2024-22024 2024-03-01
FileHash-MD5 2ec505088b942c234f39a37188e80d7a 2024-03-01
FileHash-MD5 3045f5b3d355a9ab26ab6f44cc831a83 2024-03-01
FileHash-MD5 3d97f55a03ceb4f71671aa2ecf5b24e9 2024-03-01
FileHash-MD5 8eb042da6ba683ef1bae460af103cc44 2024-03-01
FileHash-MD5 a739bd4c2b9f3679f43579711448786f 2024-03-01
FileHash-MD5 a81813f70151a022ea1065b7f4d6b5ab 2024-03-01
FileHash-MD5 d0c7a334a4d9dcd3c6335ae13bee59ea 2024-03-01
FileHash-MD5 e8489983d73ed30a4240a14b1f161254 2024-03-01
FileHash-SHA256 26cbb54b1feb75fe008e36285334d747428f80aacdb57badf294e597f3e9430d 2024-03-01
FileHash-SHA256 8bc8f4da98ee05c9d403d2cb76097818de0b524d90bea8ed846615e42cb031d2 2024-03-01
FileHash-SHA256 9d901f1a494ffa98d967ee6ee30a46402c12a807ce425d5f51252eb69941d988 2024-03-01
FileHash-SHA256 e192932d834292478c9b1032543c53edfc2b252fdf7e27e4c438f4b249544eeb 2024-03-01
FileHash-SHA256 ed4b855941d6d7e07aacf016a2402c4c870876a050a4a547af194f5a9b47945f 2024-03-01
YARA 3bcd03d8294aaa21bd75a340b6d5ee93c7f35019 2024-03-01
YARA 4c3c71e7ada05c88c00eea92c16766c9abcc76b9 2024-03-01
YARA a2030ce703b2c246abc8ac4b35115af8564db22a 2024-03-01
YARA c733a4741ff007cf898cefe8a1a0dad8e3ac6eb4 2024-03-01
YARA e4b50ad3bba666141584f3159f027e6a593496eb 2024-03-01
domain areekaweb.com 2024-03-01
domain clickcom.click 2024-03-01
domain clicko.click 2024-03-01
domain dslogconfig.pm 2024-03-01
domain duorhytm.fun 2024-03-01
domain entraide-internationale.fr 2024-03-01
domain gpoaccess.com 2024-03-01
domain line-api.com 2024-03-01
domain miltonhouse.nl 2024-03-01
domain secure-cama.com 2024-03-01
domain sessionserver.pl 2024-03-01
domain webb-institute.com 2024-03-01
hostname api.d-n-s.name 2024-03-01
hostname cpanel.netbar.org 2024-03-01
References (1)
↗ https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b