Unknown hackers exploited vulnerabilities in Ivanti software to infiltrate the Cybersecurity and Infrastructure Security Agency (CISA), leading to a significant breach of its networks. This CISA cyberattack forced the agency to shut down key systems in response to the breach.
As the primary guardian of infrastructure and cybersecurity for the entire US government, CISA’s targeting underscores the sophistication of the attack.
Approximately a month ago, CISA detected concerning activity indicating that its vital software, Ivanti products, were being leveraged for exploitation.
CISA Cyberattack Recovery
According to a spokesperson from CISA interviewed by Cybersecurity Dive, the agency promptly took two compromised systems offline as a precautionary step. Fortunately, operational activities remained unaffected during that period.
“About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” denoted a CISA spokesperson.
Prior to this incident, CISA had issued a warning in late February regarding cyber threat actors exploiting known vulnerabilities within Ivanti Connect Secure and Ivanti Policy Secure gateways.
These products, integral to secure network access, had become targets for malicious actors seeking unauthorized access.
CISA Hacked with Broader Implications
The breach within CISA’s infrastructure became apparent when two critical systems were compromised. One of the affected systems was the Infrastructure Protection (IP) Gateway, housing crucial information concerning the interdependency of U.S. infrastructure. The other compromised system was the Chemical Security Assessment Tool (CSAT), responsible for managing private-sector chemical security plans.
The Cyber Express has reached out to CISA to learn more about this cyberattack. However, at the time of writing, no official statement about the hackers has been received. However, it was confirmed that CISA had already taken precautionary measures by disconnecting Ivanti products from its systems following the initial detection of vulnerabilities.
The exploitation of vulnerabilities within Ivanti products was not limited to CISA alone. The threat had broader implications, prompting federal and international cyber authorities to issue a global alert in late February. It was advised that organizations using Ivanti products should take immediate steps to secure their systems, emphasizing the importance of having robust incident response plans in place.
The Ivanti Vulnerability
The Ivanti vulnerability or CVE-2024-22024 (XXE), affected Ivanti Connect Secure and Ivanti Policy Secure products and was part of the link connected to the CISA cyberattack. According to the National Cyber Security Centre (NCSC), the Ivanti vulnerability “is an authentication bypass vulnerability in the web component of ICS (9.x, 22.x) and IPS which allows a remote attacker to access restricted resources by bypassing control checks.”
Discovered during internal code review and disclosed by watchTowr, this vulnerability impacted specific versions of Ivanti Connect Secure (9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, and 22.5R2.2), Ivanti Policy Secure (22.5R1.1), and ZTA (22.6R1.3).
Patch updates were made available for affected versions. The provided mitigation was effective, and those who applied the patch released in January or February did not need to reset their appliances.
However, the security patches were released after weeks of exploitation activity, spilling the vulnerability assessment and its broader implications.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.