Cyber agency took systems offline after hack, report

CISA cautioned last month about threat actors exploiting multiple Ivanti vulnerabilities

Cyber agency took systems offline after hack, report

Image:
Cyber agency took systems offline after hack, report

The US Cybersecurity and Infrastructure Security Agency (CISA) was compelled to take two systems offline last month after hackers breached its defences through security flaws in Ivanti products.

A CISA spokesperson told The Record that the agency "identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses" about a month ago.

"The impact was limited to two systems, which we immediately took offline," the spokesperson said, adding that the agency continues to modernise its systems, and that there was "no operational impact at this time."

The breached systems reportedly included the Infrastructure Protection Gateway and the Chemical Security Assessment Tool (CSAT), both pivotal in evaluating and safeguarding critical infrastructure across the United States.

CSAT, in particular, houses highly sensitive industrial information critical for national security, including data on high-risk chemical facilities and security plans.

While CISA declined to confirm the specific systems affected, the spokesperson did stress the importance of reviewing the advisory released on 29 February, which warned of threat actors exploiting vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways.

CISA is a government entity tasked with bolstering the US cybersecurity framework. Formed under the Department of Homeland Security (DHS) in November 2018, its creation was prompted by escalating apprehensions regarding cyber threats and the safeguarding of vital infrastructure.

Ivanti is a provider of infrastructure management software with a global clientele exceeding 40,000 customers. Ivanti's mobile endpoint management software is popular among governments worldwide.

While the perpetrators behind the CISA attack have not been identified, they are believed to have exploited recently discovered vulnerabilities within Ivanti Connect Secure VPN and Ivanti Policy Secure products.

CISA, alongside Ivanti and numerous security firms, sounded the alarm in early January regarding two vulnerabilities purportedly exploited by Chinese state-sponsored espionage hackers. Subsequently, cybercriminals and other entities sought to exploit these vulnerabilities.

On 1st February, CISA directed federal agencies to deactivate their deployments of two Ivanti products, namely Connect Secure and Policy Secure.

Weeks later, on 29th February, the agency cautioned organisations about threat actors exploiting four Ivanti vulnerabilities identified as CVE-2023-46805, CVE-2024-21887, CVE-2024-22024 and CVE-2024-21893. It said that these vulnerabilities could be "used in a chain of exploits to enable malicious cyber threat actors to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges."

CISA also disclosed some "initial targeting" of Ivanti deployments at federal agencies, telling The Record that approximately 15 agencies use the company's software.

In response to the breach, Ivanti released patches to address the vulnerabilities, urging customers to install updates and reset their environments to default settings.

However, recent research by CISA indicates that these mitigations may not be foolproof, raising concerns about the efficacy of current security measures.

"During multiple incident response engagements associated with this activity, CISA identified that Ivanti's internal and previous external ICT failed to detect compromise. In addition, CISA has conducted independent research in a lab environment validating that the Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets," the federal agency said.

Ivanti has since released an updated version of the Integrity Checking Tool (ITC).

Estimates from cybersecurity firm Volexity LLC suggest that at least 2,000 deployments of vulnerable Ivanti products may have been compromised, highlighting the scale of the potential threat.