CISA was forced to take two systems offline last month after Ivanti was compromised


Hackers breached Cybersecurity and Infrastructure Security Agency (CISA) systems in February using vulnerabilities in Ivanti products, officials said.

A CISA spokesperson confirmed to Recorded Future News that the agency “identified activity indicating the exploitation of vulnerabilities in Ivanti products used by the agency” about a month ago.

“The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time,” the spokesperson said.

“This reminds us that any organization can be affected by a cyber vulnerability and that having an incident response plan in place is a necessary part of resilience. »

CISA declined to answer a series of questions about who was behind the incident, whether any data was accessed or stolen and which systems were taken offline. Ivanti creates software that organizations use to manage IT, including security and system access.

A source with knowledge of the situation told Recorded Future News that the two compromised systems were the Infrastructure Protection (IP) Gateway, which hosts critical information about the interdependence of US infrastructure, and the Security Assessment Tool chemical (CSAT), which accommodates the private sector. chemical safety plans. CISA declined to confirm or deny whether these were the systems that were taken offline.

CSAT houses some of the nation’s most sensitive industrial information, including the Top Screen tool for high-risk chemical facilities, site security plans and security vulnerability assessments.

CISA said organizations should consider an opinion The agency issued a warning on February 29 that threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways, including CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 .

Last week, several of the world’s largest cybersecurity agencies revealed that hackers had discovered a way to bypass a tool released by Ivanti to help organizations check whether they had been compromised.

CISA said that during “multiple incident response missions associated with this activity, CISA identified that Ivanti’s previous internal and external ICTs had failed to detect a compromise.” Additionally, CISA has conducted independent research in a laboratory environment confirming that Ivanti ICT is not sufficient to detect compromises and that a cyber threat actor may be able to achieve persistence at the root level despite resetting the factory settings.

Hackers were able to steal credentials on Ivanti devices and expand their access, in some cases to a complete domain compromise.

“The author organizations strongly encourage all organizations to consider the significant risk of adversary access and persistence to the Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue using these devices in a corporate environment,” they said.

Ivanti’s mobile endpoint management software is popular with governments around the world, and several vulnerabilities in the company’s products allowed hackers to remotely access victims’ personally identifiable information, such as names, phone numbers and other details on mobile devices. An attacker can also make other configuration changes, including creating an administrative account that can make other changes to a vulnerable system, CISA said in a security statement. alert Last year.

Since 2020CISA has warned organizations about state-backed hackers, including those linked to China, who are exploiting vulnerabilities in Ivanti products.

Unidentified hackers have begun exploiting a new vulnerability affecting Ivanti products in attacks targeting the Norwegian government. in April 2023compromising a dozen state ministries.

CISA, Ivanti and several security companies, including Mandiant and Volexity, raised alarms about two vulnerabilities in early January, which were allegedly exploited by Chinese state-backed hackers. Bug news has incited cybercriminals and others to try to exploit them as well.

Agency officials said previously Reporters said “about 15 agencies were using these products” but declined to confirm whether any of them dealt with compromises. Agencies using these tools cover “a broad spectrum…across the full breadth of the federal mission,” one official said.

Two other vulnerabilities were discovered affecting the same products, with one confirmed to have been used in attacks against Ivanti customers, which include hundreds of government agencies around the world.

The two new vulnerabilities prompted CISA to order all federal civilian agencies in the United States to disconnect Ivanti Connect Secure and Policy Secure products by February 2. CISA then updated its notice on February 9 to indicate that the products could be reactivated after being patched.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

Leave a comment