March 18, 2024 By Jonathan Reed 3 min read

The Cybersecurity and Infrastructure Security Agency (CISA) — responsible for cybersecurity and infrastructure protection across all levels of the United States government — has been hacked.

“About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson announced.

In late February, CISA had already issued a warning that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Ivanti Connect Secure is a widely deployed SSL VPN, while Ivanti Policy Secure (IPS) is a network access control (NAC) solution.

Now, CISA itself has fallen victim to a cyberattack involving Ivanti products.

CISA takes systems offline

Apparently, the attack compromised two CISA systems, which were immediately taken offline. As of this writing, no operational impact has been reported.

According to an early report on the breach, an anonymous source said that the compromised systems were the Infrastructure Protection (IP) Gateway, which houses critical information about the interdependency of U.S. infrastructure, and the Chemical Security Assessment Tool (CSAT), which houses private sector chemical security plans.

CSAT is an online portal that contains highly sensitive information that determines which facilities are considered high-risk under the Chemical Facility Anti-Terrorism Standards (CFATS).

CISA declined to confirm or deny which of their systems were taken offline.

Ongoing Ivanti vulnerabilities

In addition to the February warning about Ivanti products, CISA issued a directive in late January to all federal agencies that run the products. The directive stated that the agencies must disconnect Ivanti VPN devices and perform a factory reset before reconnecting them to the network.

Other guidance for exposed agencies included continued threat hunting, authentication and identity management services monitoring, potentially infected system isolation and ongoing privilege level access accounts auditing.

Back in August 2023, a CISA alert stated that a vulnerability discovered in Ivanti Endpoint Manager Mobile allows unauthenticated access to specific API paths. This enables attackers to access personally identifiable information (PII) such as names, phone numbers and other mobile device details for users on a vulnerable system. Hackers can also execute other configuration changes, such as installing software and modifying security profiles on registered devices.

CISA attack authors unidentified

Although the recent CISA incident has not been attributed to any group or nation-state, reports surfaced earlier that hackers suspected of working for the Chinese government were responsible for exploiting Ivanti product vulnerabilities.

Research evidence suggests that the culprits infecting the devices are motivated by espionage objectives, according to security firms Volexity and Mandiant. Volexity discovered active in-the-wild exploitation of two vulnerabilities allowing unauthenticated remote code execution in Ivanti Connect Secure VPN devices. Volexity researchers also report that the threat actor, tracked as UTA0178, is suspected to be a “Chinese nation-state-level threat actor.”

Mandiant, which tracks the attack group as UNC5221, believes the threat actors are conducting an “espionage-motivated APT campaign.” Mandiant investigators shared details of five malware families associated with the exploitation of Ivanti devices. The malware allows hackers to circumvent authentication and provide backdoor access to these devices.

Bringing Ivanti products back online

Ivanti has released an official security advisory and a knowledge base article that includes mitigation instructions that should be applied immediately. However, mitigation does not resolve a past or ongoing compromise. Therefore, security teams should thoroughly analyze systems and be on the lookout for signs of a breach.

Meanwhile, a CISA spokesperson said the agency continues to “upgrade and modernize our systems.” In short, that sums up what all organizations should be doing in the wake of news about these ongoing attacks.

Explore the latest threat intelligence

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from News

Exploring the 2024 Worldwide Managed Detection and Response Vendor Assessment

3 min read - Research firm IDC recently released its 2024 Worldwide Managed Detection and Response Vendor Assessment, which both highlights leaders in the market and examines the evolution of MDR as a critical component of IT security infrastructure. Here are the key takeaways. The current state of MDR According to the assessment, “the MDR market has evolved extensively over the past couple of years. This should be seen as a positive movement as MDR providers have had to evolve to meet the growing…

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Why the Christie’s auction house hack is different

3 min read - Christie's, one of the world's leading auction houses, was hacked in May, and the cyber group RansomHub has claimed responsibility. On May 12, Christie’s CEO Guillaume Cerutti announced on LinkedIn that the company had “experienced a technology security incident.” RansomHub threatened to leak “sensitive personal information” from exfiltrated ID document data, including names, dates of birth and nationalities. On the group’s dark website, RansomHub claims to possess 2GB of data on “at least 500,000” Christie’s clients from around the world.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today