CISA confirms compromise of its Ivanti systems

CISA confirmed two of its internal systems were breached by a threat actor that exploited flaws in Ivanti products used by the U.S. cybersecurity agency.

Ivanti on Jan. 10 disclosed two zero-day vulnerabilities that were under exploitation by a Chinese nation-state threat actor. CVE-2023-46805 is an authentication bypass vulnerability in Ivanti Policy Secure, and CVE-2024-21887 is a command injection flaw in select versions of Ivanti Connect Secure. The two can be chained together to achieve unauthenticated remote code execution.

At the end of January, Ivanti finally released patches for both zero-days alongside disclosures of two new flaws, one of which was also a zero-day. That vulnerability, CVE-2024-21893, is a server-side request forgery flaw.

CVE-2023-46805 and CVE-2024-21887 have come under mass exploitation from a variety of threat actors, and among the victims is CISA. Cybersecurity news outlet The Record first reported on Friday that hackers breached the Ivanti systems of the U.S. cyber agency.

CISA confirmed the incident to TechTarget Editorial in the following statement.

About a month ago CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses. The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time. This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience. We strongly urge all organizations to review our latest Ivanti advisory and take the steps outlined in it to protect their systems.

In the referenced advisory, published Feb. 29, CISA provided additional technical details surrounding the vulnerabilities and questioned the effectiveness of Ivanti's Integrity Checker Tool (ICT). In previous advisories, Ivanti urged customers to run its internal and external ICTs to test for evidence of compromise. However, CISA said it and its partners determined threat actors deceived the tool.

"During multiple incident response engagements associated with this activity, CISA identified that Ivanti's internal and previous external ICT failed to detect compromise," the advisory read. "In addition, CISA has conducted independent research in a lab environment validating that the Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets."

Ivanti pushed back, saying in a blog post that CISA's lab-based finding had not been found in the wild. The vendor released a new version of the external ICT two days before the agency's advisory.

It's unclear if the latest version of the external ICT tool, which Ivanti released on Feb. 27, fully addressed CISA's concerns regarding the ineffective detection of compromises. CISA has declined to comment further.

TechTarget Editorial asked Ivanti about CISA's security incident, but a company spokesperson declined to comment.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.