US cybersecurity agency CISA has ordered federal agencies to urgently disconnect Ivanti VPN appliances due to the risk of malicious exploitation due to multiple software flaws.
In an updated version of the emergency directive first announced last week, CISA now requires all federal civilian executive branch agencies (a list that includes the Department of Homeland Security and the Securities and Exchange Commission) to shut down all federal agencies due to “serious threats.” Requires disconnecting the Ivanti VPN appliance. It is caused by numerous zero-day vulnerabilities that are currently being exploited by malicious hackers.
Federal agencies typically have several weeks to patch vulnerabilities, but CISA mandates that Ivanti VPN appliances be disconnected within 48 hours.
“Resellers running affected products (Ivanti Connect Secure or Ivanti Policy Secure solutions) should immediately perform the following tasks: as soon as possible, but no later than Friday, February 2, 2024, at 11:00 p.m. “By 59 minutes, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure Solutions products from the Ivanti Policy reseller network,” the emergency directive updated Wednesday states.
CISA's warning comes just hours after Ivanti announced it had discovered a third zero-day flaw that is being actively exploited.
Security researchers say Chinese state-sponsored hackers have been exploiting at least two flaws in Ivanti Connect Secure since December, tracked as CVE-2023-46805 and CVE-2024-21887. Ivanti announced on Wednesday that it had discovered two additional flaws, CVE-2024-21888 and CVE-2024-21893. The latter is already being used for “targeted” attacks. CISA previously said it “observed initial targeting of federal agencies.”
Steven Adair, founder of cybersecurity company Volexity, told TechCrunch on Thursday that at least 2,200 Ivanti devices have been compromised so far. This is an increase of 500 from the 1,700 number the company tracked earlier this month, although Volexity notes that “the total number is likely much higher.”
In an update to its emergency directive, CISA urges government agencies to continue threat hunting on systems connected to affected devices even after disconnecting vulnerable Ivanti products and detect potentially compromised certificates. Or told them they need to monitor their identity management services and continue auditing privileges. level access account.
CISA also provided instructions for restoring Ivanti appliances to online operation, but did not give federal agencies a deadline to do so.
“CISA effectively directed federal agencies on how to deploy what is considered a completely new and patched installation. [Ivanti Connect Secure] as a requirement to get the VPN device back online,” Adair told TechCrunch. “If an organization wants absolute assurance that a device is operating in a known good and reliable state, that's probably the best course of action.”
Ivanti announced this week that it will be updating the list of affected individuals affected by the first two vulnerabilities after CISA warned in an advisory that malicious attackers had circumvented published mitigations for the first two vulnerabilities. A patch has been provided for the department's software version. Ivanti also reminded customers to factory reset their appliances before applying the patch to prevent hackers from becoming persistent on their networks.