CISA forced to take two systems offline last month after Ivanti compromise

Avatar

Hackers breached the systems of the Cybersecurity and Infrastructure Security Agency (CISA) in February through vulnerabilities in Ivanti products, officials said.

A CISA spokesperson confirmed to Recorded Future News that the agency “identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses” about a month ago.

“The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time,” the spokesperson said.

“This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience.”

CISA declined to answer a range of questions about who was behind the incident, whether data had been accessed or stolen and what systems were taken offline. Ivanti makes software that organizations use to manage IT, including security and system access.

A source with knowledge of the situation told Recorded Future News that the two systems compromised were the Infrastructure Protection (IP) Gateway, which houses critical information about the interdependency of U.S. infrastructure, and the Chemical Security Assessment Tool (CSAT), which houses private sector chemical security plans. CISA declined to confirm or deny whether these are the systems that were taken offline.

CSAT houses some of the country’s most sensitive industrial information, including the Top Screen tool for high-risk chemical facilities, Site Security Plans and the Security Vulnerability Assessments.

CISA said organizations should review an advisory the agency released on February 29 warning that threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways including CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893.

Last week, several of the world’s leading cybersecurity agencies revealed that hackers had discovered a way around a tool Ivanti released to help organizations check if they had been compromised.

CISA said during “multiple incident response engagements associated with this activity, CISA identified that Ivanti’s internal and previous external ICT failed to detect compromise. In addition, CISA has conducted independent research in a lab environment validating that the Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets.”

Hackers were able to steal credentials on Ivanti devices and expand their access to, in some cases, full domain compromise.

“The authoring organizations strongly urge all organizations to consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment,” they said.

Ivanti’s mobile endpoint management software is popular among governments around the world and several vulnerabilities in the company’s products have allowed hackers to remotely access victims’ personally identifiable information, such as names, phone numbers and other mobile device details. An attacker can also make other configuration changes, including creating an administrative account that can make further changes to a vulnerable system, CISA said in a security alert last year.

Since 2020, CISA has warned organizations of state-backed hackers — including ones linked to China — exploiting vulnerabilities in Ivanti products.

Unidentified hackers began exploiting a new vulnerability affecting Ivanti products in attacks targeting the Norwegian government in April 2023, compromising a dozen state ministries.

CISA, Ivanti and several security companies, including Mandiant and Volexity, raised alarms about two vulnerabilities in early January that were allegedly being exploited by Chinese state-backed espionage hackers. News of the bugs prompted cybercriminals and others to attempt to exploit them as well.

Agency officials previously told reporters that there are “around 15 agencies that were using these products” but declined to confirm if any dealt with compromises. The agencies using the tools cover “a wide spectrum… across the breadth of the federal mission,” an official said.

Another two vulnerabilities were discovered affecting the same products, with one of them confirmed to have been used in attacks on Ivanti customers — which include hundreds of government agencies around the world.

The two new vulnerabilities prompted CISA to order all federal civilian agencies in the U.S. to disconnect Ivanti Connect Secure and Policy Secure products by February 2. CISA later updated its advisory on February 9 to say that products could be turned back on after they were patched.

CybercrimeGovernmentNewsTechnology
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Suzanne Smalley

is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.

 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

CISA forced to take two systems offline last month after Ivanti compromise

Next Post

Change Healthcare brings some systems back online after cyberattack

Related Posts

Warning: New Ivanti Auth Bypass Flaw Affects Connect Secure and ZTA Gateways

Ivanti has alerted customers of yet another high-severity security flaw in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication. The issue, tracked as CVE-2024-22024, is rated 8.3 out of 10 on the CVSS scoring system. "An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti
Jason Macuray
Read More

New Phishing Kit Leverages SMS, Voice Calls to Target Cryptocurrency Users

A novel phishing kit has been observed impersonating the login pages of well-known cryptocurrency services as part of an attack cluster designed to primarily target mobile devices. “This kit enables attackers to build carbon copies of single sign-on (SSO) pages, then use a combination of email, SMS, and voice phishing to trick the target into sharing usernames, passwords, password reset URLs,
Avatar
Read More