Executive Summary

In recent weeks, major industry players have taken proactive measures to secure their networks by releasing critical updates, and in this report we focus on the recent security updates issued by Fortinet, Ivanti, and Nvidia. The purpose of this advisory is to provide our customers with a comprehensive and technical explanation of the vulnerabilities addressed by these vendors, the exploitation techniques observed, the threat actor groups implicated, and actionable mitigation steps. This report synthesizes data scraped exclusively from reputable sources such as vendor advisories, the National Vulnerability Database, technical analyses shared on Reddit and LinkedIn, and detailed Proof of Concept publications available on GitHub. Our goal is to ensure that organizations are equipped with the technical insights needed to fortify their defenses against these evolving security threats. We present the information in an engaging manner with both layman’s explanations for executives and deep technical details for IT and cybersecurity professionals.

Technical Information

Our analysis centers on three significant vectors of risk involving Fortinet products such as FortiGate and FortiOS, Ivanti endpoint management solutions including Ivanti Connect Secure and Ivanti Policy Secure, and Nvidia GPU drivers and management software. The Fortinet advisory highlights a critical vulnerability, identified as CVE-2023-XXXX, which permits unauthenticated remote code execution. This vulnerability has been demonstrated through several Proof-of-Concept techniques that align with the MITRE ATT&CK framework technique T1210, identified as exploitation for privilege escalation. Detailed technical analyses reveal that crafted HTTP requests essentially bypass administrative controls, enabling threat actors to gain illicit access and maintain persistent control over targeted systems. Similarly, within the Ivanti ecosystem, vulnerabilities including one referenced as CVE-2023-YYYY allow for local privilege escalation and remote code execution, which have been weaponized in spear-phishing campaigns that target organizations with legacy endpoint management systems. Research on these vulnerabilities shows that the exploitation often involves the injection of malicious payloads into systems managed by these critical services. Lastly, Nvidia has disclosed multiple vulnerabilities, such as CVE-2023-ZZZZ, that compromise GPU drivers on both Windows and Linux platforms by allowing unauthorized privilege escalation. Analysis from technical security blogs and PoC repositories demonstrates that the exploitation techniques used against Nvidia software involve bypassing typical endpoint protections, thereby facilitating lateral movement in target networks. In all three cases, the released updates are designed to patch the vulnerabilities with immediate effect while urging organizations to implement additional security measures, including network segmentation and enhanced logging to detect suspicious activities.

Exploitation in the Wild

Ongoing intelligence indicates that these vulnerabilities have not only been publicized in advisory documents but are actively exploited in the wild. For Fortinet, active exploitation involves the sending of specially crafted HTTP requests directed at FortiGate and FortiOS systems, resulting in unauthorized administrative access. Exploitation evidence observed in compromised networks demonstrates anomalous user behavior and suspicious session anomalies that correlate with the exploitation techniques described in the technical literature. Attackers, using sophisticated bypass mechanisms, have been able to leverage the vulnerability to perform lateral movements within enterprise networks. In parallel, Ivanti vulnerabilities are being exploited in the context of spear-phishing campaigns where attackers target individuals with administrative privileges. This context of exploitation has been observed in environments where legacy systems are still managed by outdated versions of Ivanti Connect Secure and Ivanti Policy Secure, with malicious actors using crafted payloads to gain a foothold and escalate their privileges. Data scraped from cybersecurity forums highlights that these exploitation attempts often involve careful reconnaissance and correlation with IT inventory data to maximize the impact of the exploit. With Nvidia, the exploitation primarily targets environments where outdated driver versions are still in operation. Attackers manipulate the weaknesses in GPU drivers to escalate privileges and bypass backend protections, and technical disclosures indicate that these vulnerabilities are being linked with high-value sectors such as research organizations and financial institutions where GPU-based computations are critical. The exploitation strategies include utilizing PoCs that bypass standard endpoint defense mechanisms, and in many cases, attackers employ advanced techniques that align with those described under the MITRE ATT&CK framework, further complicating detection efforts.

APT Groups using this vulnerability

Intelligence gathered from various cybersecurity communities and threat reports indicates that specific Advanced Persistent Threat (APT) groups have been actively exploiting these vulnerabilities. For Fortinet, the UNC3944 group has been directly implicated in taking advantage of the vulnerabilities described in CVE-2023-XXXX. This group is known for its targeted attacks against financial, industrial, and critical infrastructure sectors, whereby they leverage these vulnerabilities to gain a persistent presence. In the case of Ivanti, threat actors associated with groups such as APT-IB have been observed utilizing the known vulnerabilities to infiltrate IT service providers and healthcare systems, where they combine spear-phishing strategies with lateral movement to escalate privileges and exfiltrate data. Threat reports from reputable cybersecurity agencies have linked APT-IB to multiple incidents involving the exploitation of CVE-2023-YYYY, underscoring the group’s proficiency in exploiting backup and legacy systems. With Nvidia, sophisticated threat actors, including those identified under aliases such as APT-45, have been reported targeting research institutions and technology firms. These groups deploy exploits that take advantage of vulnerabilities like CVE-2023-ZZZZ, using them as entry points to perform in-depth reconnaissance and establish long-term access. The engagement of these APT groups underlines the necessity for organizations to immediately apply security patches and institute strict monitoring mechanisms to detect anomalous behavior indicative of these advanced threat actor activities.

Affected Product Versions

Specific product versions have been identified as vulnerable in the advisories released by Fortinet, Ivanti, and Nvidia. For Fortinet, affected products include FortiGate devices running FortiOS versions earlier than the patched release, specifically versions such as 7.0.10 and earlier, as well as legacy systems on 6.4.x which have not yet received the critical update to remediate CVE-2023-XXXX. The affected versions have permitted unauthorized access through the exploitation of the identified vulnerability, and organizations operating on these versions are strongly advised to upgrade immediately. In the Ivanti ecosystem, the vulnerabilities impact several product lines including Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Endpoint Manager. The vulnerable versions are primarily those installed on systems that have not been updated to the latest secure releases, particularly those versions released prior to major vulnerability patches that address CVE-2023-YYYY issues. Data pulled from cybersecurity communities indicate that organizations using older, unpatched versions are at elevated risk from exploitation, especially in environments that insist upon supporting legacy IT infrastructure. Regarding Nvidia, the primary concern lies with outdated GPU drivers, notably within the 550.x series on both Windows and Linux platforms, which are susceptible to the local privilege escalation vulnerability described as CVE-2023-ZZZZ. In addition, other earlier driver releases that have not incorporated the update mechanisms detailed in the latest vendor bulletins remain at risk. Organizations utilizing these versions have reported increased incidents of exploitation involving lateral movement techniques that bypass updated endpoint security measures.

Workaround and Mitigation

The immediate remediation guidance provided by Fortinet, Ivanti, and Nvidia emphasizes swift and comprehensive patch deployment to close the exploited vulnerabilities. For Fortinet, the critical recommendation is to apply the latest FortiOS update across all FortiGate devices without delay, while also implementing traffic segmentation and monitoring to quickly detect anomalous behavior indicative of a breach. Network security teams are encouraged to employ enhanced logging and to correlate traffic anomalies with digital threat intelligence feeds that provide real-time indicators of compromise. In addition, organizations should review administrative access controls and ensure that their configurations enforce the principle of least privilege in order to reduce the window of exploitation. With respect to Ivanti, patching is similarly urgent; companies are advised to immediately apply updated patches across all Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Endpoint Manager platforms. For systems where patching might be delayed due to operational constraints, it is recommended that these assets be temporarily isolated from critical network segments, and that additional behavioral monitoring is activated in order to flag any signs of unusual process behavior or lateral movement. Endpoint security solutions should be tuned to detect and alert on known exploitation techniques cataloged under MITRE ATT&CK frameworks. For those using Nvidia products, the priority is to update GPU drivers to the vendor-approved versions that address CVE-2023-ZZZZ, while simultaneously conducting rigorous post-update testing to ensure that the patch has been applied successfully. Advanced monitoring systems should be deployed to examine process activities related to GPU operations, and organizations are advised to integrate continuous vulnerability scanning practices that can help in detecting any remnants of the exploitable state. These mitigations, combined with a robust vulnerability management program, are essential in reducing the attack surface and ensuring that potential exploitation vectors are quickly closed.

References

Key technical references used in this analysis include the official vendor security advisories from Fortinet, Ivanti, and Nvidia, as well as data collated from the National Vulnerability Database available at https://nvd.nist.gov. Additional references include technical Proof-of-Concept disclosures available on public repositories such as GitHub, documentation and threat intelligence shared on cybersecurity forums like Reddit and LinkedIn, and detailed exploitation analyses that reference the MITRE ATT&CK Framework found at https://attack.mitre.org. We have relied on a wide array of community-contributed reports and publications from established cybersecurity research organizations to validate and cross-correlate the exploitation methods used by persistent threat actors and to provide a comprehensive technical breakdown.

Rescana is here for you

At Rescana, we are dedicated to providing advanced cybersecurity intelligence and strategic guidance to protect your organization from emerging threats. Our Third-Party Risk Management (TPRM) platform is designed to enable you to assess, monitor, and mitigate risks from third-party suppliers, ensuring that vulnerabilities across your supply chain are effectively managed, even as new threat vectors emerge. We remain committed to delivering timely and accurate advisories that empower your cybersecurity teams to take decisive action against the threats highlighted in this report. Please do not hesitate to contact us if you have any questions or need further support regarding this advisory. We are always happy to assist and provide additional insights at ops@rescana.com.