The Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI and international partners, released a cybersecurity advisory (CSA) today to warn about the ongoing exploitation of multiple vulnerabilities within the Ivanti Connect Secure and Ivanti Policy Secure gateways.
CISA first warned Federal agencies of the Ivanti vulnerabilities in January, and the agency then mandated agencies disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure VPN products on their networks by Feb. 2.
Today’s advisory comes after the agencies and industry partners have observed “persistent targeting of these vulnerabilities by a variety of cyber threat actors.” CISA explained that threat actors can use the vulnerabilities to bypass authentication and “execute arbitrary commands with elevated privileges.”
“Since initial disclosure of these vulnerabilities, CISA and our partners have urgently worked to provide actionable guidance and assist impacted victims. This includes an emergency directive to remove and rebuild vulnerable Ivanti devices to reduce risk to federal systems upon which Americans depend,” said CISA Executive Assistant Director Eric Goldstein.
“Today’s joint advisory provides further details based upon industry partnerships, incident response findings, and evaluations of the relevant products. Every organization using these products are strongly encouraged to adopt the actions outlined in this advisory,” Goldstein added.
Specifically, the advisory warns all organizations using these devices to “assume a sophisticated threat actor could achieve persistence and may lay dormant for a period of time before conducting malicious activity.”
The agencies and industry partners have discovered that cyber threat actors can deceive Ivanti’s internal and external Integrity Checker Tool (ICT), meaning that it is unable to detect a compromise.
The CSA warns that organizations should also be cautious when considering a virtual private network (VPN), including whether or not to continue operating Ivanti devices.
“The FBI and our partners are releasing this cybersecurity advisory so that organizations are able to protect themselves from malicious actors exploiting their networks,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “Private and public sector entities should follow the guidance included in this advisory to ensure these critical vulnerabilities are mitigated.”
CISA and its partners are urging organizations to incorporate secure-by-design and -default principles and tactics into their software development practices to limit the impact of exploitation.
They also recommend organizations avoid VPN solutions that use proprietary protocols or non-standard features; limit outbound internet connections from SSL VPN appliances; keep all operating systems, software, and firmware up to date; and limit SSL VPN connections to unprivileged accounts.
CISA and the FBI issued today’s advisory alongside the Multi-State Information Sharing & Analysis Center (MS-ISAC), Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC), United Kingdom’s National Cyber Security Centre (NCSC), Canadian Centre for Cyber Security (Cyber Centre) – a part of the Communications Security Establishment, and New Zealand’s National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team (CERT-NZ).
“We welcome findings from our security and government partners that enable our customers to protect themselves in the face of this evolving and highly sophisticated threat,” a spokesperson from Ivanti told MeriTalk. “To be clear, [the] 29 February advisory does not contain information on a new vulnerability, and Ivanti and our partners are not aware of any instances of successful threat actor persistence following implementation of the security updates and factory resets recommended by Ivanti.”