Light Dark
March 18, 2024 By Jonathan Reed 3 min read
News

The Cybersecurity and Infrastructure Security Agency (CISA) — responsible for cybersecurity and infrastructure protection across all levels of the United States government — has been hacked.

“About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson announced.

In late February, CISA had already issued a warning that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Ivanti Connect Secure is a widely deployed SSL VPN, while Ivanti Policy Secure (IPS) is a network access control (NAC) solution.

Now, CISA itself has fallen victim to a cyberattack involving Ivanti products.

CISA takes systems offline

Apparently, the attack compromised two CISA systems, which were immediately taken offline. As of this writing, no operational impact has been reported.

According to an early report on the breach, an anonymous source said that the compromised systems were the Infrastructure Protection (IP) Gateway, which houses critical information about the interdependency of U.S. infrastructure, and the Chemical Security Assessment Tool (CSAT), which houses private sector chemical security plans.

CSAT is an online portal that contains highly sensitive information that determines which facilities are considered high-risk under the Chemical Facility Anti-Terrorism Standards (CFATS).

CISA declined to confirm or deny which of their systems were taken offline.

Ongoing Ivanti vulnerabilities

In addition to the February warning about Ivanti products, CISA issued a directive in late January to all federal agencies that run the products. The directive stated that the agencies must disconnect Ivanti VPN devices and perform a factory reset before reconnecting them to the network.

Other guidance for exposed agencies included continued threat hunting, authentication and identity management services monitoring, potentially infected system isolation and ongoing privilege level access accounts auditing.

Back in August 2023, a CISA alert stated that a vulnerability discovered in Ivanti Endpoint Manager Mobile allows unauthenticated access to specific API paths. This enables attackers to access personally identifiable information (PII) such as names, phone numbers and other mobile device details for users on a vulnerable system. Hackers can also execute other configuration changes, such as installing software and modifying security profiles on registered devices.

CISA attack authors unidentified

Although the recent CISA incident has not been attributed to any group or nation-state, reports surfaced earlier that hackers suspected of working for the Chinese government were responsible for exploiting Ivanti product vulnerabilities.

Research evidence suggests that the culprits infecting the devices are motivated by espionage objectives, according to security firms Volexity and Mandiant. Volexity discovered active in-the-wild exploitation of two vulnerabilities allowing unauthenticated remote code execution in Ivanti Connect Secure VPN devices. Volexity researchers also report that the threat actor, tracked as UTA0178, is suspected to be a “Chinese nation-state-level threat actor.”

Mandiant, which tracks the attack group as UNC5221, believes the threat actors are conducting an “espionage-motivated APT campaign.” Mandiant investigators shared details of five malware families associated with the exploitation of Ivanti devices. The malware allows hackers to circumvent authentication and provide backdoor access to these devices.

Bringing Ivanti products back online

Ivanti has released an official security advisory and a knowledge base article that includes mitigation instructions that should be applied immediately. However, mitigation does not resolve a past or ongoing compromise. Therefore, security teams should thoroughly analyze systems and be on the lookout for signs of a breach.

Meanwhile, a CISA spokesperson said the agency continues to “upgrade and modernize our systems.” In short, that sums up what all organizations should be doing in the wake of news about these ongoing attacks.

Explore the latest threat intelligence

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

 |  |  |  | 
Jonathan Reed
Freelance Technology Writer

More from News
May 8, 2024

Change Healthcare attack expected to exceed $1 billion in costs

3 min read - The impact of the recent Change Healthcare cyberattack is unprecedented — and so are the costs. Rick Pollack, President and CEO of the American Hospital Association, stated, “The Change Healthcare cyberattack is the most significant and consequential incident of its kind against the U.S. healthcare system in history.”In a recent earnings call, UnitedHealth Group, the parent company of Change Healthcare, speculated on the overall data breach costs. When all is said and done, the total tally may reach $1 billion…

May 1, 2024

New proposed federal data privacy law suggests big changes

3 min read - After years of work and unsuccessful attempts at legislation, a draft of a federal data privacy law was recently released. The United States House Committee on Energy and Commerce released the American Privacy Rights Act on April 7, 2024. Several issues stood in the way of passing legislation in the past, such as whether states could issue tougher rules and if individuals could sue companies for privacy violations. With the American Privacy Rights Act of 2024, the U.S. government established…

April 29, 2024

The major hardware flaw in Apple M-series chips

3 min read - The “need for speed” is having a negative impact on many Mac users right now. The Apple M-series chips, which are designed to deliver more consistent and faster performance than the Intel processors used in the past, have a vulnerability that can expose cryptographic keys, leading an attacker to reveal encrypted data. This critical security flaw, known as GoFetch, exploits a vulnerability found in the M-chips data memory-dependent prefetcher (DMP). DMP’s benefits and vulnerabilities DMP predicts memory addresses that the…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature