CISA warns Ivanti ICT ineffective for detecting compromises

CISA observed ongoing exploitation against four Ivanti vulnerabilities and found problems with the vendor's Integrity Checker Tool, which is designed to detect compromises.

In a new advisory Thursday, CISA warned that threat actors continue to exploit previously disclosed Ivanti vulnerabilities and that the vendor's internal and external integrity checker tools failed to detect compromises.

Last month, Ivanti issued a series of disclosures for four vulnerabilities, tracked as CVE-2023-46805, CVE-2024-21887, CVE-2024-2204 and CVE-2024-21893, that affect Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) gateways. Exploitation against two of the zero-day flaws, CVE-2023-46805 and CVE-2024-21887, began before patches were available. Volexity, credited for discovery of the two flaws, as well as Mandiant connected activity to a Chinese nation-state actor. CISA separately confirmed reports of exploitation and required Federal Civilian Executive Branch agencies to disconnect all ICS and IPS devices as part of the mitigation steps.

Ivanti repeatedly urged customers to run its external and internal Integrity Checker Tool (ICT). The vendor released an external ICT in January after the internal tool was manipulated by attackers. However, a joint advisory Thursday by CISA and several partnering organizations revealed more problems with the ICT.

"During multiple incident response engagements associated with this activity, CISA identified that Ivanti's internal and previous external ICT failed to detect compromise. In addition, CISA has conducted independent research in a lab environment validating that the Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets," CISA wrote in the advisory.

Investigations revealed attackers exploited the vulnerabilities to gain initial access then deployed web shells and harvested credentials. The attackers then moved laterally and leveraged several tools that are native to Ivanti appliances. In some cases, attacks led to full domain compromise, the advisory warned.

CISA said the web shells deployed by attackers rendered the ICT unreliable for malicious file searches. Attackers also manipulated the ICT by returning the appliance to a "clean state" to obfuscate their tracks.

CISA's forensic analysis follows previous problems with the ICT that Ivanti highlighted last month. In a security advisory for CVE-2023-46805 and CVE-2024-21887, Ivanti confirmed it observed threat actors "attempting to manipulate" the internal ICT. Ivanti urged customers to run the external tool, which was updated with a new feature, instead.

However, CISA's advisory Thursday said the ICT is ineffective, based on incident response investigations and the agency's own research. "Leveraging these vulnerabilities, CISA researchers were able to exfiltrate domain administrator cleartext credentials, gain root-level persistence, and bypass integrity checks used by the integrity checker application," the advisory read.

Now, CISA is asking ICS and IPS customers to weigh the risks of running the products in their environments.

"The authoring organizations strongly urge all organizations to consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment," the advisory read.

Editor's note: Emphasis by CISA.

Ivanti pushes back

Ivanti pushed back on CISA's claims that the updated ICT is ineffective and again urged customers to use it in tandem with continuous monitoring. An Ivanti spokesperson gave the following statement to TechTarget Editorial:

We welcome findings from our security and government partners that enable our customers to protect themselves in the face of this evolving and highly sophisticated threat. To be clear, 29 February advisory does not contain information on a new vulnerability, and Ivanti and our partners are not aware of any instances of successful threat actor persistence following implementation of the security updates and factory resets recommended by Ivanti.

Ivanti, Mandiant, CISA and the other JCSA authoring organizations continue to recommend that defenders apply available patching guidance provided by Ivanti if they haven't done so already and run Ivanti's updated Integrity Checker Tool (ICT), released on 27 February, to help detect known attack vectors, alongside continuous monitoring.

Ivanti released a new version of ICT earlier in the week. In its advisory, CISA advised organizations with Ivanti devices to assume user and service account credentials within the appliances are likely compromised, hunt for malicious activity in their environments and run the most recent external ICT.

Ivanti also updated a blog post on Thursday emphasizing that CISA's lab-based research findings have not been replicated in the wild. "It is important to note that this lab-based finding has not been observed by CISA, Ivanti or Mandiant in the wild, and based on the evidence presented and further analysis by our team, we believe that if a threat actor were to attempt this remotely they would lose connection to Ivanti Connect Secure, and not gain persistence in a live customer environment. Furthermore, customers that patched and executed a successful factory reset (hardware) or deployed a new build (virtual) would not be at risk from the activity outlined in CISA's report."

Ivanti also addressed claims that CISA previously advised federal agencies to unplug their machines as part of the mitigation process.

"CISA's original directive to federal agencies was misinterpreted by the media who only reported on the first step of instructions. CISA made updates to their directive to correct this, and then subsequently updated again on February 9 to make it absolutely clear that you can turn on the product on after patching," Ivanti wrote in the blog post.

Earlier this month, Ivanti faced criticism from supply chain security vendor Eclypsium regarding problems with its Pulse Secure firmware. Research revealed additional security concerns aside from the recently disclosed vulnerabilities, including multiple outdated and unsupported software components in the firmware. It also emphasized how the internet exposed appliances remain an attractive target for threat actors.

Arielle Waldman is a Boston-based reporter covering enterprise security news.

Dig Deeper on Threat detection and response