Ivanti Vulnerabilities Exploited; Easy Patch Tuesday; Nine More Exploited Vulnerabilities

Ivanti users should consult the excellent write up by Volexity for details. Connect Secure used to be known as Pulse Secure before being acquired by Ivanti in 2020. The product has a rich vulnerability history and has frequently been used to breach corporate networks. Connect Secure has likely become expensive to maintain for Ivanti with its legacy Perl codebase and complex software architecture typical for a legacy product. This will make it difficult for Ivanti to invest into proactively identifying security vulnerabilities, relying on non cooperating third parties to assist in identifying product flaws.

I had to look this up to make sure because Ivanti has been on an acquisition spree. This is affecting the old Juniper SSL VPN Customers. There is still a pretty sizable set of companies running this tech.

Ivanti has both published a mitigation you can download and install and provided IOCs you can incorporate into your threat hunting. They are providing guidance for upgrading to newer releases which have more expedited patch release cycles. The patch will be released the weeks of the 22nd of January to the 19th of February, depending on the product version you’re running.

Given the ease with which the pair of vulnerabilities can be exploited, download and apply the mitigation procedures that Ivanti provides with great haste. You can expect that evildoers are now circling and targeting the VPN appliance.

The law of large numbers at work: FNF says they “…do not believe that the incident will have a material impact on the Company.” An incident this large is likely to have a hard cost in the $100M dollar range but since that is less than 2% of FNF’s reported 12 month profit of $6B, it is not “material” as far as regulators are concerned. But, if management was convinced that spending $10M would have prevented the loss of $100M they may have made that investment.

Although most attention on ransomware events is focused on small to medium size enterprises (K-12, Healthcare), FNF proves that even fortune 500 companies also fall victim. What’s even more interesting is that the company doesn’t believe it to be a ‘material’ event, thereby, skirting some of the new SEC rules.

This raise a point that is important to get across to your management: using cloud services does *not* mean having to allow your sensitive data to be stored in countries that don’t meet your regulatory requirements for protecting privacy. Similarly, if you are in the business of providing cloud services, your customers will increasingly have requirements for meeting higher national data privacy standards than the US has.

This is a continuation of Microsoft efforts to abide by strict privacy laws within the EU. There was hope that the US and EU would reach agreement on data sharing but in the end, this is the most effective way for CSP’s to abide by national privacy laws. Expect other CSP’s to follow Microsoft’s lead.

Microsoft has a vast EU presence, unsurprisingly, so it makes perfect sense for them to focus on EU-based privacy and data sovereignty.

Wordfence provided a firewall rule for the POST SMTP Mailer paid and free customers January 3rd and February 2nd respectively. Most importantly make sure that you have the updated plugins, 2.8.8 for POST SMTP and 1.9.99 of the AI Engine. Assume attackers are actively looking for known vulnerable plugins on WordPress sites.

Wordpress’ market share is 43% of all websites. For content management systems its global market share is even higher. Unfortunately, plugins are its Achilles heel. The best protection is to maintain patch diligence and include a firewall to monitor and filter web traffic.

It should no longer be necessary to point out that WordPress plugins are a source of vulnerability for web sites, that most come with no representations of quality, should not be used by default, only by design and intent, and when used must be diligently managed. The issue is plugins in general rather than these two.