Governance & Risk Management
,
Government
,
Industry Specific
CISA Says Agencies Must Disconnect and Reset Ivanti VPN Devices by Midnight Friday
U.S. federal agencies have until midnight Friday to disconnect Ivanti VPN devices and perform a factory reset before reconnecting them to the network.
See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government
A Tuesday directive from the Cybersecurity and Infrastructure Security Agency orders federal agencies to reset the gateways – even at the cost of potentially exposing authentication or identity management services to the internet. The directive came shortly after Utah software developer Ivanti disclosed another set of zero-days on top of a pair of vulnerabilities exploited by a likely Chinese espionage hacking operation (see: Suspected Chinese Hackers Exploit 2 Ivanti Zero-Days).
To bring Ivanti appliances back online, agencies must export their configuration, factory reset the gateways, rebuild using patched software versions and revoke all connected or exposed certificates, keys and passwords.
Ivanti on Tuesday began to roll out – on a staggered schedule – patches for gateway devices, after security researchers earlier this month disclosed that hackers had chained two flaws – tracked as CVE-2023-46805 and CVE-2024-21887 – to bypass authentication, including multifactor authentication, and achieve remote code execution. The patches also resolve the new zero-days – CVE-2024-21888, a privilege escalation vulnerability, and CVE-2024-21893, a server-side request forgery flaw residing in an SAML component.
For affected products without a patch, the company has developed mitigations downloadable as an XML file.
A CISA official in mid-January told reporters that 15 federal agencies are Ivanti customers. The official declined to name the agencies or to disclose whether threat actors had successfully gained access to federal systems.
The Shadowserver Foundation tracked more than 21,400 instances of exposed Ivanti VPNs globally and counted approximately 330 hacked instances on Feb. 1.
Researchers from cyber threat intelligence firm Mandiant warned Tuesday that exploitation of vulnerable Ivanti devices has probably spread beyond the suspected Chinese espionage hacker that began hacking the zero- days in December. It is “likely that additional groups” have taken advantage of the zero-days, Mandiant said.
The company also identified a “highly targeted” workaround to the initial mitigation steps Ivanti released on Jan. 10. The threat actor uses the mitigation bypass technique to deploy a web shell dubbed Bushwalk. In some cases, the hacker removed indicators of their activity and restored the system to a clean state after deploying the web shell, making the infection impervious to the Ivanti integrity checker tool.
CISA told affected federal agencies they should assume all linked domain accounts have been compromised and gave them until March 1 to perform a double password reset for all accounts, revoke Kerberos tickets and then revoke tokens for cloud accounts in hybrid deployments or – for cloud-registered devices – revoke the device tokens in the cloud.