Report: Hackers used Ivanti vulnerabilities to breach two CISA systems

SECURITY

Hackers have gained access to two applications operated by the U.S. Cybersecurity and Infrastructure Security Agency, The Record reported today.

A CISA spokesperson confirmed the breach in a statement. According to the agency, the hackers gained access by using vulnerabilities in Ivanti Inc. products that it uses internally. Ivanti is a major provider of infrastructure management software that counts over 40,000 customers worldwide, including multiple U.S. government agencies.

“The impact was limited to two systems, which we immediately took offline,” CISA stated. “We continue to upgrade and modernize our systems, and there is no operational impact at this time.” The agency didn’t specify exactly which components of its infrastructure were affected. 

The Record cited a source as saying that the hackers comprised the agency’s Infrastructure Protection Gateway and Chemical Security Assessment Tool. According to CISA’s website, the former application provides access to tools and data that officials use to evaluate the security of critical infrastructure . The Chemical Security Assessment Tool, in turn, contains information about chemical facilities.

The breach occurred early last month. Around the same time, CISA instructed federal agencies to disable their deployments of two Ivanti products called Connect Secure and Policy Secure. A few weeks earlier, the two products were found to contain vulnerabilities that allow hackers to run malicious code.

Connect Secure allows workers to log into applications via encrypted connections, while Policy Secure is used by administrators to regulate which employee can access what workload and how. In January, Ivanti disclosed a vulnerability that hackers can use to bypass the two applications’ authentication mechanism. A second security flaw detailed at the same time makes it possible to run malicious commands.

In January, the same products were found to contain two additional vulnerabilities. Those flaws also affect a third Ivanti application called Neurons for ZTA that organizations use to manage their networks.

Shortly after the second set of vulnerabilities came to light, CISA revealed that it “observed some initial targeting” of federal agencies’ Ivanti deployments. An official told The Record that around 15 agencies were using the company’s software.

Cybersecurity company Volexity LLC estimated in early February that at least 2,000 deployments of the vulnerable Ivanti products had been compromised. At the time, more than 22,000 such deployments were connected to the web.

Ivanti has since released patches to fix the vulnerabilities. According to the company, customers should not only install the updates but also reset their environments to the default settings. CISA recently published research that found those mitigations can be sidestepped by hackers, but Ivanti believes threat actors can’t implement the workaround in practice.

Image: CISA