Ransomware

Ivanti Flaw Exploited In CISA Cyberattack: Patch Now

shared a warning in late February about cyber actors exploiting Ivanti Connect Secure and Policy Secure vulnerabilities.

by Ashish Khaitan March 20, 2024 in Data Breach News, Firewall Daily Reading Time: 3 mins read 0

591 SHARES 3.3k VIEWS Share on LinkedInShare on Twitter

Unknown hackers exploited vulnerabilities in Ivanti software to infiltrate the Cybersecurity and Infrastructure Security Agency (CISA), leading to a significant breach of its networks. This forced the agency to shut down key systems in response to the breach.

As the primary guardian of infrastructure and cybersecurity for the entire US government, CISA's targeting underscores the sophistication of the attack.

Approximately a month ago, CISA detected concerning activity indicating that its vital software, Ivanti products, were being leveraged for exploitation.

CISA Cyberattack Recovery

According to a spokesperson from CISA interviewed by Cybersecurity Dive, the agency promptly took two compromised systems offline as a precautionary step. Fortunately, operational activities remained unaffected during that period.

“About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” denoted a CISA spokesperson.

Prior to this incident, CISA had issued a warning in late February regarding cyber threat actors exploiting known vulnerabilities within Ivanti Connect Secure and Ivanti Policy Secure gateways.

These products, integral to secure network access, had become targets for malicious actors seeking unauthorized access.

CISA Hacked with Broader Implications

The breach within CISA's infrastructure became apparent when two critical systems were compromised. One of the affected systems was the Infrastructure Protection (IP) Gateway, housing crucial information concerning the interdependency of U.S. infrastructure. The other compromised system was the Chemical Security Assessment Tool (CSAT), responsible for managing private-sector chemical security plans.

The Cyber Express has reached out to CISA to learn more about this cyberattack. However, at the time of writing, no official statement about the hackers has been received. However, it was confirmed that CISA had already taken precautionary measures by disconnecting Ivanti products from its systems following the initial detection of vulnerabilities.

The exploitation of vulnerabilities within Ivanti products was not limited to CISA alone. The threat had broader implications, prompting federal and international cyber authorities to issue a global alert in late February. It was advised that organizations using Ivanti products should take immediate steps to secure their systems, emphasizing the importance of having robust incident response plans in place.

The Ivanti Vulnerability 

Source: NVD

The or (XXE), affected Ivanti Connect Secure and Ivanti Policy Secure products and was part of the link connected to the CISA cyberattack. According to the National Cyber Security Centre (NCSC), the Ivanti vulnerability “is an authentication bypass vulnerability in the web component of ICS (9.x, 22.x) and IPS which allows a remote attacker to access restricted resources by bypassing control checks.”

Discovered during internal code review and disclosed by watchTowr, this vulnerability impacted specific versions of Ivanti Connect Secure (9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, and 22.5R2.2), Ivanti Policy Secure (22.5R1.1), and ZTA (22.6R1.3). 

Patch updates were made available for affected versions. The provided mitigation was effective, and those who applied the patch released in January or February did not need to reset their appliances.

However, the security patches were released after weeks of exploitation activity, spilling the vulnerability assessment and its broader implications. 

Source

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button