How CISA's Cyber Defences Were Breached Through Ivanti Flaws

CISA Attacked In Ivanti Vulnerabilities Exploit Rush

The Cybersecurity and Infrastructure Security Agency (CISA), alongside Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), and various national and international partners have issued a Cybersecurity Advisory warning about the active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. 

This collaborative effort, including contributions from Volexity, Ivanti, Mandiant, and other key industry players, highlights the exploitation of specific vulnerabilities—CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893.

CVE-2023-46805 (Authentication Bypass)An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

CVE-2024-21887 (Command Injection)A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Vulnerabilities have been discovered in Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure and Ivanti Policy Secure gateways. These vulnerabilities impact Versions 9.x through 22.x

These flaws, present in all supported versions of the software, allow attackers to bypass authentication processes, submit harmful requests, and perform commands with heightened access. 

A critical issue raised is the ability of attackers to circumvent Ivanti’s Integrity Checker Tool, thus preventing the detection of these intrusions.

A spokesperson for CISA disclosed that indications of malicious exploitation targeting vulnerabilities in Ivanti products, integral to the agency's technology stack, were identified approximately a month ago. 

This revelation follows a cautionary bulletin from CISA and international partners issued in late February, alerting to the active misuse of known flaws in Ivanti Connect Secure and Ivanti Policy Secure solutions—key for SSL VPN and network access control (NAC) services, respectively.

CISA has acknowledged that the cyberattack leveraged weaknesses in Ivanti's software, leading to the compromise of two of its systems. 

These systems were promptly disconnected from the network, yet no immediate operational setbacks have been reported. While not officially confirmed, initial insights suggest the breach impacted the Infrastructure Protection Gateway and the Chemical Security Assessment Tool—both vital for national infrastructure and chemical security oversight.

Based upon the authoring organisations’ observations during incident response activities and available industry reporting, as supplemented by CISA’s research findings, the authoring organisations recommend that the safest course of action for network defenders is to assume a sophisticated threat actor may deploy rootkit level persistence on a device that has been reset and lay dormant for an arbitrary amount of time. 

For example, as outlined in PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure), sophisticated actors may remain silent on compromised networks for long periods. 

The authoring organisations strongly urge all organisations to consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment.

Amidst this backdrop, a global notification had been previously issued, highlighting the ongoing threat posed by vulnerabilities in Ivanti's platforms. 

In a proactive measure earlier this year, CISA mandated federal entities to sever and reset connections to Ivanti VPN devices before their reinstatement to networks, emphasising a broad strategy that includes vigilant threat monitoring and rigorous access control reviews.

Notably, a flaw identified in August 2023 within Ivanti Endpoint Manager Mobile, enabling unauthorised API access, has placed further scrutiny on Ivanti's security posture. 

Ivanti has published a formal security advisory alongside a comprehensive knowledge base article, detailing immediate mitigation strategies. 

It's important to note, however, that these mitigation efforts do not address previously or currently compromised systems. As such, it is imperative for security teams to conduct in-depth system analyses and remain vigilant for any indicators of a security breach.

While the precise actors behind the recent breach at CISA have not been officially pinpointed, speculation abounds regarding the involvement of entities operating at the behest of the Chinese government, with motivations rooted in espionage.

Insights from security firms Volexity and Mandiant shed light on the techniques and intents of the adversaries, underscoring the complex landscape of cyber espionage.

“This is a reminder that any organisation can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience,” the CISA spokesperson reaffirmed.

“We strongly urge all organizations to review our latest Ivanti advisory and take the steps outlined in it to protect their systems.”

The incident not only amplifies the call for rigorous security practices but also highlights the significance of prompt and decisive response mechanisms in the face of cyber incursions. 

As Ivanti rolls out fixes and advisories in response to these vulnerabilities, the incident reiterates the enduring challenge of safeguarding digital assets against determined and sophisticated cyber adversaries.