The US Cybersecurity and Infrastructure Security Agency (CISA) has given federal civilian executive agencies 48 hours to delete all Ivanti devices in use on federal networks, due to concerns that More threat actors are actively exploiting multiple security flaws in these systems. The order is part of the supplemental direction accompanying last week’s emergency directive (ED 24-01).
Security researchers say state-backed Chinese hackers known as UNC5221 exploited at least two vulnerabilities both as zero-days and after disclosure in early January: an authentication bypass (CVE-2023-46895) and a command injection (CVE-2024-21887) defect — in Ivanti Connect Secure. Additionally, Ivanti claimed this week that a server-side request was spoofed (CVE-2024-21893) has already been used in “targeted” attacks such as zero day and has revealed a privilege escalation vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure (CVE-2024-21888) which has not yet been observed in attacks in the wild.
“Agencies using affected Ivanti Connect Secure or Ivanti Policy Secure products are required to immediately perform the following tasks: As soon as practicable and no later than 11:59 pm on Friday, February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks,” CISA wrote in its additional direction.
The CISA Directive applies to the 102 entities listed as “federal agencies of the civilian executive branch,” a list that includes the Department of Homeland Security, the Department of Energy, the Department of State, the Office of Personnel Management, and the Securities and Exchange Commission (but not the Department of Defense).
Private entities using Ivanti devices in their environments are strongly advised to prioritize taking these same measures to protect their networks from potential exploitation.
Ivanti VPN Cyber-Risk: Rip everything
The instruction to disconnect, and not patch, products with only about 48 hours’ notice is “unprecedented,” noted cloud security researcher Scott Piper. Because Ivanti devices connect your organization’s network to the broader Internet, compromising these devices means attackers can potentially gain access to domain accounts, cloud systems, and other connected resources. Mandiant and Volexity’s recent warnings that there are multiple threat actors exploiting the defects of mass numbers This is probably why CISA insists on physically disconnecting devices immediately.
CISA provided instructions on looking for indicators of compromise (IoC) and how to reconnect everything to the networks after rebuilding the equipment. CISA also said it will provide technical assistance to agencies without internal capabilities to carry out these actions.
Agencies are being asked to continue threat hunting activities on systems that were connected or recently connected to equipment, as well as isolate systems from company assets “to the maximum extent possible.” They should also monitor any authentication or identity management services that may have been exposed and check login accounts at the privilege level.
How to reconnect household appliances
Ivanti appliances cannot simply be reconnected to the network, but must be rebuilt and updated to remove vulnerabilities and anything that attackers may have left behind.
“If an exploit occurred, we believe it is likely that the threat actor performed an export of the running configurations with the private certificates loaded on the gateway at the time of the exploit and left a web shell file that allows the ‘future access via backdoor,’ Ivanti wrote in a knowledge base article that explains how to rebuild the appliance. “We believe the purpose of this web shell is to provide a backdoor to the gateway after the vulnerability has been mitigated, which is why we recommend customers revoke and replace certificates to prevent further exploitation after mitigation.”
-
Agencies are required to first export the appliance configuration settings, perform a factory reset, and then rebuild the appliance.
-
The appliance software must be updated via the official download portal to one of the following versions: 9.1R18.3, 22.4R2.2, 22.5R1.1, 9.1R14.4, or 9.1R17.2.
-
Once the upgrade is complete, the configuration settings can be imported back into the appliance.
The assumption is that the equipment has been compromised, so the next step is to revoke and reissue all connected or exposed certificates, keys and passwords. This includes resetting the administrator enablement password, stored API keys, and the password of any local users defined on the gateway, such as service accounts used for configuring the authentication server.
Agencies must report the status of these steps to CISA by February 5 at 11:59 pm EST.
Let’s assume a compromise
It is safer to assume that all services and domain accounts connected to the equipment have been compromised and act accordingly, rather than trying to guess which systems may have been targeted. Therefore, agencies must reset passwords twice (double password reset) for local accounts, revoke Kerberos tickets, and revoke tokens for cloud accounts. Devices added/registered to the cloud needed to be disabled to revoke device tokens.
Agencies are required to report their status at all steps by March 1 at 11:59 pm EST.