CISA forced to take two systems offline last month after Ivanti compromise

Avatar

Hackers breached the systems of the Cybersecurity and Infrastructure Security Agency (CISA) in February through vulnerabilities in Ivanti products, officials said.

A CISA spokesperson confirmed to Recorded Future News that the agency “identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses” about a month ago.

“The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time,” the spokesperson said.

“This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience.”

CISA declined to answer a range of questions about who was behind the incident, whether data had been accessed or stolen and what systems were taken offline. Ivanti makes software that organizations use to manage IT, including security and system access.

A source with knowledge of the situation told Recorded Future News that the two systems compromised were the Infrastructure Protection (IP) Gateway, which houses critical information about the interdependency of U.S. infrastructure, and the Chemical Security Assessment Tool (CSAT), which houses private sector chemical security plans. CISA declined to confirm or deny whether these are the systems that were taken offline.

CSAT houses some of the country’s most sensitive industrial information, including the Top Screen tool for high-risk chemical facilities, Site Security Plans and the Security Vulnerability Assessments.

CISA said organizations should review an advisory the agency released on February 29 warning that threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways including CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893.

Last week, several of the world’s leading cybersecurity agencies revealed that hackers had discovered a way around a tool Ivanti released to help organizations check if they had been compromised.

CISA said during “multiple incident response engagements associated with this activity, CISA identified that Ivanti’s internal and previous external ICT failed to detect compromise. In addition, CISA has conducted independent research in a lab environment validating that the Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets.”

Hackers were able to steal credentials on Ivanti devices and expand their access to, in some cases, full domain compromise.

“The authoring organizations strongly urge all organizations to consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment,” they said.

Ivanti’s mobile endpoint management software is popular among governments around the world and several vulnerabilities in the company’s products have allowed hackers to remotely access victims’ personally identifiable information, such as names, phone numbers and other mobile device details. An attacker can also make other configuration changes, including creating an administrative account that can make further changes to a vulnerable system, CISA said in a security alert last year.

Since 2020, CISA has warned organizations of state-backed hackers — including ones linked to China — exploiting vulnerabilities in Ivanti products.

Unidentified hackers began exploiting a new vulnerability affecting Ivanti products in attacks targeting the Norwegian government in April 2023, compromising a dozen state ministries.

CISA, Ivanti and several security companies, including Mandiant and Volexity, raised alarms about two vulnerabilities in early January that were allegedly being exploited by Chinese state-backed espionage hackers. News of the bugs prompted cybercriminals and others to attempt to exploit them as well.

Agency officials previously told reporters that there are “around 15 agencies that were using these products” but declined to confirm if any dealt with compromises. The agencies using the tools cover “a wide spectrum… across the breadth of the federal mission,” an official said.

Another two vulnerabilities were discovered affecting the same products, with one of them confirmed to have been used in attacks on Ivanti customers — which include hundreds of government agencies around the world.

The two new vulnerabilities prompted CISA to order all federal civilian agencies in the U.S. to disconnect Ivanti Connect Secure and Policy Secure products by February 2. CISA later updated its advisory on February 9 to say that products could be turned back on after they were patched.

CybercrimeGovernmentNewsTechnology
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Suzanne Smalley

is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.

 

Total
0
Shares
Previous Post

DevSecOps Sydney

Next Post

CISA forced to take two systems offline last month after Ivanti compromise

Related Posts

New “Raptor Train” IoT Botnet Compromises Over 200,000 Devices Worldwide

Cybersecurity researchers have uncovered a never-before-seen botnet comprising an army of small office/home office (SOHO) and IoT devices that are likely operated by a Chinese nation-state threat actor called Flax Typhoon (aka Ethereal Panda or RedJuliett). The sophisticated botnet, dubbed Raptor Train by Lumen's Black Lotus Labs, is believed to have been operational since at least May 2020,
Avatar
Read More

Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices

The North Korean threat actor known as Lazarus Group has been attributed to the zero-day exploitation of a now-patched security flaw in Google Chrome to seize control of infected devices. Cybersecurity vendor Kaspersky said it discovered a novel attack chain in May 2024 that targeted the personal computer of an unnamed Russian national with the Manuscrypt backdoor. This entails triggering the
Avatar
Read More