CISA Warns of Ivanti Zero-Day Exploits

CISA Warns of Ivanti Zero-Day Exploits

Urgent Mitigation Measures Mandated by CISA for Federal Agencies

In a significant development, the Cybersecurity and Infrastructure Security Agency (CISA) has issued the first emergency directive of the year, mandating Federal Civilian Executive Branch (FCEB) agencies to urgently address two zero-day vulnerabilities affecting Ivanti Connect Secure and Ivanti Policy Secure. The vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, have been actively exploited by multiple threat actors since December, raising widespread concerns about the security of federal systems.

Exploits Enable Lateral Movement and Persistent Access

The exploits, when combined, enable threat actors to navigate laterally within a targeted network, exfiltrate sensitive data, and establish persistent access through the deployment of backdoors. With Ivanti yet to release security patches to rectify these vulnerabilities, CISA has deemed the situation to pose an unacceptable risk to FCEB agencies, prompting the issuance of emergency directive ED 24-01.

Mitigation Measures Outlined in the CISA Directive

As outlined in the directive, federal agencies are now obligated to promptly implement Ivanti’s publicly disclosed mitigation measures to thwart ongoing attack attempts. In addition to these measures, agencies must leverage Ivanti’s External Integrity Checker Tool and adhere to a set of comprehensive actions outlined in the directive.

Immediate Reporting and Removal of Compromised Products

First and foremost, agencies are required to report any indications of compromise promptly to CISA through the designated communication channel at [email protected]. Subsequently, agencies are instructed to remove compromised Ivanti products from their networks and initiate a thorough incident analysis. This includes preserving data from compromised devices through the creation of forensic hard drive images while actively searching for indications of further compromise.

Restoration Steps and Security Measures

To bring a compromised product back into service, agencies are directed to reset the device with the affected Ivanti solution software to factory default settings and remove the attack vector by applying Ivanti’s provided mitigations. The directive also outlines a series of additional steps to fully restore impacted appliances, including the revocation and reissuance of stored certificates, resetting of administrative enable passwords, resetting of stored API keys, and the resetting of passwords for any local users defined on the gateway.

Timely Application of Updates and Reporting Requirements

Furthermore, agencies are mandated to apply updates addressing the two vulnerabilities referenced in the directive as soon as they become available, with a strict deadline of no later than 48 hours following their release by Ivanti. One week after the issuance of the directive, agencies are required to report to CISA, using the provided template, a complete inventory of all instances of Ivanti Connect Secure and Ivanti Policy Secure products on agency networks. This report must include details on the actions taken and results achieved in response to the CISA directive.

Monitoring Efforts Highlight Severity of the Situation

The severity of the situation is underscored by the monitoring efforts of threat intelligence entities. Shadowserver, a threat monitoring service, currently tracks over 16,200 ICS VPN appliances exposed online, with more than 4,700 located in the United States. Notably, these exposed Ivanti ICS devices have become the target of active exploitation, with over 420 hacked devices spotted on January 18 alone.

Advanced Exploitation Tactics and Identified Threat Actors

One of the threat actors involved in the attacks, suspected to be a Chinese state-backed group tracked as UTA0178 and UNC5221, has already backdoored over 2,100 Ivanti appliances using a GIFTEDVISITOR webshell variant, according to reports from threat intelligence company Volexity. Mandiant, during its investigation into these attacks, discovered the deployment of five custom malware strains on breached customers’ systems. These strains have been designed to steal credentials, deploy webshells, and introduce additional malicious payloads.

Broad Spectrum of Victims and Varied Industry Sectors

The threat actor behind these attacks has been actively harvesting and stealing account and session data, posing a significant risk to the compromised networks. Victims identified so far include government and military departments worldwide, national telecom companies, defense contractors, technology companies, banking and finance organizations, worldwide consulting outfits, and aerospace, aviation, and engineering firms. The targeted entities vary widely in size, ranging from small businesses to some of the largest organizations globally, including multiple Fortune 500 companies spanning various industry sectors.

Cryptocurrency Mining and Malicious Payloads

Volexity and GreyNoise, in their monitoring efforts, have observed attackers deploying XMRig cryptocurrency miners and Rust-based malware payloads. The dynamics of the situation highlight the critical need for agencies to adhere promptly and comprehensively to the directives outlined in ED 24-01 to mitigate the risks posed by these zero-day vulnerabilities.

Collaborative Approach Emphasized

In conclusion, the emergency directive issued by CISA in response to the zero-day vulnerabilities affecting Ivanti appliances reflects the seriousness of the situation and the urgency required in mitigating the risks posed by active exploitation. The comprehensive set of actions outlined in the directive aims to guide federal agencies in promptly addressing the vulnerabilities, securing their networks, and preventing further compromise. The ongoing monitoring efforts by threat intelligence entities emphasize the evolving nature of the threat landscape, underscoring the importance of a proactive and collaborative approach to cybersecurity at both the national and organizational levels.

Stay Informed and Stay Secure with the Latest Hacker News: Your Daily Source for Cutting-Edge Cybersecurity Updates!