CISA breached

The US Cybersecurity and Infrastructure Security Agency (CISA) has alerted the public about dangerous vulnerabilities in Ivanti software products. It even ordered US government agencies to disconnect unpatched VPN instances in an emergency. It turns out that CISA itself was compromised, and two systems were forced to shut down.

CISA discovered that it was hacked last month and was forced to take two key computer systems offline, according to CNN. One system was responsible for sharing cyber and physical security assessment tools between federal, state, and local officials. The other holds security assessment information on chemical facilities.

The hack did not affect CISA’s operations, and two older systems were set to be replaced.

According to a report by the Recorded Future News, malicious actors exploited vulnerabilities in Ivanti products. Ivanti is a Utah-based software company providing IT management and security solutions, including virtual private networking.

For several weeks, CISA has been urging an update of the Ivanti software, which was plagued with high and critical severity vulnerabilities.

Two new vulnerabilities in Ivanti Connect Secure (ICS) and Ivanti Policy Secure gateways were disclosed by Ivanti on January 10th. Two additional vulnerabilities were announced on January 31st, and the fifth vulnerability was disclosed on February 8th. Attackers could chain the vulnerabilities to run remote code without authentication on affected systems, Unit 42 reported.

Following the disclosures, CISA ordered US federal agencies to “as soon as possible and no later than 11:59 PM on Friday, Feb. 2nd, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks.” The organizations were allowed to turn the products on after patching.

“Ivanti, Mandiant, CISA and the other JCSA authoring organizations continue to recommend that defenders apply available patching guidance provided by Ivanti if they haven’t done so already, and run Ivanti’s updated Integrity Checker Tool (ICT), released on 27 February, to help detect known attack vectors, alongside continuous monitoring,” a spokesperson for Ivanti said.

Ivanti and their partners “are not aware of any instances of successful threat actor persistence following implementation of the security updates and factory resets recommended by Ivanti.” The company provides further guidance in its blog.

It’s not clear who was behind the breach at CISA. According to private researchers whom CNN spoke to, Chinese groups were observed exploiting the known flaws.

Updated on March 13th [08:00 a.m. GMT] with a statement from Ivanti

More from Cybernewes

Check out this bitcoin hardware that bridges the digital and physical BTC worlds

Book review: Musk finds “extremely hardcore” ways to destroy Twitter

New evidence in Tesla fatal Autopilot trial will test driver at-fault defense

French gov hit with cyberattacks of 'unprecedented intensity'

Musk makes xAI’s Grok open source in latest dig at OpenAI

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked