Breaking
May 19, 2024

CISA Issues Emergency Directive to Mitigate Actively Exploited Ivanti Vulnerabilities

AiBot
Written by AiBot

AiBot scans breaking news and distills multiple news articles into a concise, easy-to-understand summary which reads just like a news story, saving users time while keeping them well-informed.

Jan 20, 2024

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive ordering federal agencies to immediately patch or mitigate recently disclosed vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure products. The vulnerabilities are being actively exploited by state-sponsored Chinese hackers to compromise devices and networks globally.

Background

Ivanti provides software for secure remote access and network access control. The company’s products, Ivanti Connect Secure and Ivanti Policy Secure, are used by thousands of organizations worldwide, including various US federal agencies.

On January 11th, Ivanti disclosed two critical zero-day vulnerabilities affecting these products after researchers detected exploits in the wild. The flaws allow authentication bypass and arbitrary code execution, enabling attackers to gain full control of vulnerable servers.

Multiple cybersecurity firms and government agencies have since confirmed and tracked increasing exploitation of these vulnerabilities by suspected Chinese state-sponsored hackers. The campaign appears to be targeting foreign governments and militaries including agencies in the US, Canada, Australia, and Europe.

Details of the Emergency Directive

On January 19th, CISA issued Emergency Directive 24-01 ordering federal civilian agencies to immediately apply available patches or implement workarounds for the flaws.

The directive notes that exploitation of the Ivanti vulnerabilities is expected to increase rapidly, potentially compromising hundreds of thousands of devices globally. It states that compromise of federal networks via these vulnerabilities could severely impact security and emergency services, causing “possible loss of life and catastrophic economic damage.”

Required Mitigations

The mitigations agencies must take include:

  • Patching vulnerable Ivanti servers to the latest software versions immediately
  • Implementing available device configuration workarounds to block exploitation
  • Disconnecting or disabling vulnerable Ivanti devices if patching is not an option
  • Using network segmentation controls to isolate vulnerable systems

Additionally, agencies must report compliance with the mandated mitigations to CISA within 10 business days.

Attacks Rapidly Increasing

In the days since Ivanti’s disclosure, significant developments have shown attacks exploiting the vulnerabilities accelerating across the globe:

  • January 16th: Ivanti reported attacks compromising over 1700 VPN servers from multiple countries
  • January 18th: Researchers uncovered a third zero-day in exploited Ivanti devices
  • January 19th: CISA estimated over 200 US federal agencies using vulnerable Ivanti software

Cybersecurity firms tracking the attacks assess that tens of thousands of vulnerable endpoints have already been compromised by hackers.

Furthermore, they warn that any organization using Ivanti Connect Secure before version 9.8 or Ivanti Policy Secure before version 5.8 could be at risk.

Chinese State Hackers Behind Exploits

Multiple cybersecurity companies have attributed exploitation of the Ivanti flaws to Chinese state-sponsored hackers with high confidence. Specifically:

  • Mandiant tracked activity to a Chinese group known as UNC3890
  • Anomali identified techniques used by groups APT41 and BARIUM
  • Microsoft and Crowdstrike have also linked the exploits to China

The hackers appear to have had access to the zero-days prior to their public disclosure, suggesting the vulnerabilities were stolen or purchased through underground markets. The exploits enable them to gain remote admin access and are being used as part of larger cyber espionage campaigns.

Targets compromised so far lean heavily towards Western military and foreign affairs related agencies.

Potential Impact and Outlook

With many Ivanti customers still unpatched and scrambling to mitigate, experts assess the situation remains extremely concerning:

  • Widespread credential theft and network infiltration expected
  • Sensitive government and military data is at risk
  • Hackers could utilize networks as launch points for further attacks

While federal civilian agencies should now be enacting CISA’s mandated mitigations, there are fears these developments could be just the tip of the iceberg.

Similar emergency directives and warnings have gone out to government and public sector entities in Canada, the UK, Australia and beyond. However, many private sector companies affected may still remain unaware their systems have already been compromised via the Ivanti flaws.

In the US, the priority has now shifted to compliance enforcement and trying to track inevitable fallout from agencies or networks that failed to mitigate in time. But globally there are worries of a long tail of incident response activities needed to uncover and remediate intrusions in the months ahead.

Notable Recent Statements

Cybersecurity leaders and government officials have made stark warnings over the last week highlighting the importance of patching:

“This activity poses an imminent threat to federal networks and requires an immediate and emergency action.” – CISA Director Jen Easterly

“The rapid weaponization and active exploitation of these vulnerabilities indicate we are likely still just seeing the tip of the iceberg.” – Charles Carmakal, Mandiant SVP

“Patching these vulnerabilities is mission critical for any organization using Ivanti products.” – National Cyber Security Center (UK)

Timeline of Key Events

Date Event
December 20th, 2022 Suspected initial exploitations and vulnerabilities stolen/leaked
January 11th, 2023 Ivanti discloses 2 critical zero-days after attacks detected
January 13th detailed vulnerability analysis released
January 16th Ivanti reports mass exploitation impacting 1700+ VPNs
January 18th A third zero-day identified in ongoing analysis
January 19th CISA issues emergency directive to US Federal agencies
January 19th 200+ US agencies confirmed using vulnerable Ivanti software

The timeline shows a very short 13 day window between initial public disclosure of the Ivanti flaws and confirmation of large-scale active exploitation impacting hundreds of US government networks. The rapid weaponization left many exposed and needing to mitigate quickly once the vulnerabilities and attacks came to light through January.

Looking Ahead

Over the next few months, organizations across various industries could uncover they have been impacted without realizing. There are further fears this incident could enable secondary attacks leveraging compromised networks and credentials.

While early warnings focused heavily on government agencies and militaries, implications likely reach into healthcare, finance, energy and other critical infrastructure sectors exposed through third party software.

The key priority now will be identifying and remediating breaches stemmed from these attacks to prevent adversaries converting network access into further data theft or operational disruption.

For impacted organizations, extensive log analysis, forensic investigation, credential resets and application of indicators of compromise will likely be required despite applying available Ivanti patches.

In summary, this emergency directive on critical Ivanti software vulnerabilities capped off three hectic weeks scrambling to contain active exploitation from suspected Chinese hackers. While early warnings prioritized government entities, the incident looks poised to cement itself as a landmark case study on the speed and scale of modern cyber campaigns. For any organization using Ivanti’s products, understanding exposure levels and mitigating risk remains essential given the likelihood of advanced persistent threat groups capitalizing on accesses obtained through these attacks for months ahead.

AiBot

AiBot

Author

AiBot scans breaking news and distills multiple news articles into a concise, easy-to-understand summary which reads just like a news story, saving users time while keeping them well-informed.

To err is human, but AI does it too. Whilst factual data is used in the production of these articles, the content is written entirely by AI. Double check any facts you intend to rely on with another source.

By AiBot

AiBot scans breaking news and distills multiple news articles into a concise, easy-to-understand summary which reads just like a news story, saving users time while keeping them well-informed.

Related Post