“About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson announced.
In late February, CISA had already issued a warning that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Ivanti Connect Secure is a widely deployed SSL VPN, while Ivanti Policy Secure (IPS) is a network access control (NAC) solution.
Now, CISA itself has fallen victim to a cyberattack involving Ivanti products.
Apparently, the attack compromised two CISA systems, which were immediately taken offline. As of this writing, no operational impact has been reported.
According to an early report on the breach, an anonymous source said that the compromised systems were the Infrastructure Protection (IP) Gateway, which houses critical information about the interdependency of U.S. infrastructure, and the Chemical Security Assessment Tool (CSAT), which houses private sector chemical security plans.
CSAT is an online portal that contains highly sensitive information that determines which facilities are considered high-risk under the Chemical Facility Anti-Terrorism Standards (CFATS).
CISA declined to confirm or deny which of their systems were taken offline.
In addition to the February warning about Ivanti products, CISA issued a directive in late January to all federal agencies that run the products. The directive stated that the agencies must disconnect Ivanti VPN devices and perform a factory reset before reconnecting them to the network.
Other guidance for exposed agencies included continued threat hunting, authentication and identity management services monitoring, potentially infected system isolation and ongoing privilege level access accounts auditing.
Back in August 2023, a CISA alert stated that a vulnerability discovered in Ivanti Endpoint Manager Mobile allows unauthenticated access to specific API paths. This enables attackers to access personally identifiable information (PII) such as names, phone numbers and other mobile device details for users on a vulnerable system. Hackers can also execute other configuration changes, such as installing software and modifying security profiles on registered devices.
Given the CISA directive was issued in January — but the breach was reported to have occurred in February — this leaves plenty of room for speculation about the efficacy of existing mitigation.
Although the recent CISA incident has not been attributed to any group or nation-state, reports surfaced earlier that hackers suspected of working for the Chinese government were responsible for exploiting Ivanti product vulnerabilities.
Research evidence suggests that the culprits infecting the devices are motivated by espionage objectives, according to security firms Volexity and Mandiant. Volexity discovered active in-the-wild exploitation of two vulnerabilities allowing unauthenticated remote code execution in Ivanti Connect Secure VPN devices. Volexity researchers also report that the threat actor, tracked as UTA0178, is suspected to be a “Chinese nation-state-level threat actor.”
Mandiant, which tracks the attack group as UNC5221, believes the threat actors are conducting an “espionage-motivated APT campaign.” Mandiant investigators shared details of five malware families associated with the exploitation of Ivanti devices. The malware allows hackers to circumvent authentication and provide backdoor access to these devices.
Ivanti has released an official security advisory and a knowledge base article that includes mitigation instructions that should be applied immediately. However, mitigation does not resolve a past or ongoing compromise. Therefore, security teams should thoroughly analyze systems and be on the lookout for signs of a breach.
Meanwhile, a CISA spokesperson said the agency continues to “upgrade and modernize our systems.” In short, that sums up what all organizations should be doing in the wake of news about these ongoing attacks.