CISA forced to take its own systems offline following Ivanti alert

Cyber security concept image showing binary code on a touch screen with finger touching.
(Image credit: Getty Images)

The US Cybersecurity and Infrastructure Agency (CISA) was affected by a cyber attack exploiting vulnerabilities in a number of Ivanti products, according to officials at the agency.

A CISA spokesperson told The Record the breach occurred in February and affected two systems, which an anonymous source identified as the Infrastructure Protection (IP) Gateway and Chemical Security Assessment Tool (CSAT).

The IP Gateway is a web-based portal underpinning the collection, analysis, and distribution of sensitive information relating to critical national infrastructure assets within the US. 

Similarly, the CSAT refers to an online portal housing the survey and application data submitted by chemical facilities deemed high-risk under the Chemical Facility Anti-Terrorism Standards (CSATS).

The CSAT contains a significant amount of the country’s most sensitive industrial information, such as Site Security Plans (SSP), Security Vulnerability Assessments (SVA), and the Top Screen system for reporting possession of chemicals of interest (COI).

The CISA spokesperson said the impact of the attack was limited to just two systems, which it took offline as soon as it was aware of the malicious activity, but declined to confirm or deny if these were the IP Gateway and CSAT.

CISA warned organizations about Ivanti risk, but failed to protect itself

In January 2024, Ivanti disclosed the two vulnerabilities that affected all supported versions of its Connect Secure and Policy Secure products from 9.x to 22.x. Both flaws affected the web component of Ivanti Connect Secure and Policy Secure products.

The first, CVE-2023-46805, is an authentication bypass vulnerability that could allow attackers to bypass control checks and was designated a CVSS rating  of 8.2.

The second, CVE-2024-21887, is a command injection vulnerability that can be used by an attacker to remotely execute arbitrary commands on the affected products, rated as a 9.2 on the CVSS.

CISA issued an emergency directive on 31 January ordering agencies running the affected products to disconnect all instances of Connect Secure and Policy Secure from its network.

Agencies were also advised to continue threat hunting on any systems connected to, or recently connected to the affected product, isolate these systems as much as possible, and continue to audit privilege level access accounts..

On 29 February, CISA issued an advisory warning that threat actors were actively exploiting these flaws, and that in combination they could be used to launch sophisticated attacks.

“The vulnerabilities impact all supported versions and can be used in a chain of exploits to enable malicious cyber threat actors to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges.”

CISA encouraged organizations to assume any user and service account credentials stored within the affected Ivanti VPN appliances were likely compromised.

The agency also provided detection methods and indicators of compromise (IOC) to help organizations detect malicious activity on their networks. 

Initial disclosure sparked torrent of exploitation attempts

The affected products have been subjected to a flood of attacks over the previous month, according to research. 

Analysis from cloud computing company Akamai found since the initial vulnerability disclosure in January, Ivanti Connect Secure products were the subject of over 250,000 attacks each day. 

Akamai claimed threat actors began looking to exploit the vulnerability in mid-January, recording a surge in “widespread exploitation” of the Connect Secure and Policy Secure products in the 24 hours following its disclosure. 

Most of the attacks were probes, according to Akamai, where threat actors try to deliver malicious payloads in order to send beacon requests back to domains controlled by the attackers, paving the way for new PoCs for remote code execution (RCE) attacks.

Check Point published similar research outlining a recent campaign leveraging the Ivanti Connect Secure VPN vulnerability by threat actors Magnet Goblin.

The campaign was reported to have started within a day of the patch issuance, looking to capitalize on the flaw before organizations are able to secure their systems.

Check Point’s analysis stated Magnet Globin used the vulnerability as an initial infection vector to deliver a novel Linux version of the Nerbian malware family, specifically NerbianRAT, that they are known for using in their attacks.

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.