March 18, 2024 By Jonathan Reed 3 min read

The Cybersecurity and Infrastructure Security Agency (CISA) — responsible for cybersecurity and infrastructure protection across all levels of the United States government — has been hacked.

“About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson announced.

In late February, CISA had already issued a warning that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Ivanti Connect Secure is a widely deployed SSL VPN, while Ivanti Policy Secure (IPS) is a network access control (NAC) solution.

Now, CISA itself has fallen victim to a cyberattack involving Ivanti products.

CISA takes systems offline

Apparently, the attack compromised two CISA systems, which were immediately taken offline. As of this writing, no operational impact has been reported.

According to an early report on the breach, an anonymous source said that the compromised systems were the Infrastructure Protection (IP) Gateway, which houses critical information about the interdependency of U.S. infrastructure, and the Chemical Security Assessment Tool (CSAT), which houses private sector chemical security plans.

CSAT is an online portal that contains highly sensitive information that determines which facilities are considered high-risk under the Chemical Facility Anti-Terrorism Standards (CFATS).

CISA declined to confirm or deny which of their systems were taken offline.

Ongoing Ivanti vulnerabilities

In addition to the February warning about Ivanti products, CISA issued a directive in late January to all federal agencies that run the products. The directive stated that the agencies must disconnect Ivanti VPN devices and perform a factory reset before reconnecting them to the network.

Other guidance for exposed agencies included continued threat hunting, authentication and identity management services monitoring, potentially infected system isolation and ongoing privilege level access accounts auditing.

Back in August 2023, a CISA alert stated that a vulnerability discovered in Ivanti Endpoint Manager Mobile allows unauthenticated access to specific API paths. This enables attackers to access personally identifiable information (PII) such as names, phone numbers and other mobile device details for users on a vulnerable system. Hackers can also execute other configuration changes, such as installing software and modifying security profiles on registered devices.

CISA attack authors unidentified

Although the recent CISA incident has not been attributed to any group or nation-state, reports surfaced earlier that hackers suspected of working for the Chinese government were responsible for exploiting Ivanti product vulnerabilities.

Research evidence suggests that the culprits infecting the devices are motivated by espionage objectives, according to security firms Volexity and Mandiant. Volexity discovered active in-the-wild exploitation of two vulnerabilities allowing unauthenticated remote code execution in Ivanti Connect Secure VPN devices. Volexity researchers also report that the threat actor, tracked as UTA0178, is suspected to be a “Chinese nation-state-level threat actor.”

Mandiant, which tracks the attack group as UNC5221, believes the threat actors are conducting an “espionage-motivated APT campaign.” Mandiant investigators shared details of five malware families associated with the exploitation of Ivanti devices. The malware allows hackers to circumvent authentication and provide backdoor access to these devices.

Bringing Ivanti products back online

Ivanti has released an official security advisory and a knowledge base article that includes mitigation instructions that should be applied immediately. However, mitigation does not resolve a past or ongoing compromise. Therefore, security teams should thoroughly analyze systems and be on the lookout for signs of a breach.

Meanwhile, a CISA spokesperson said the agency continues to “upgrade and modernize our systems.” In short, that sums up what all organizations should be doing in the wake of news about these ongoing attacks.

Explore the latest threat intelligence

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from News

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today