Risk & Repeat: CISA hacked via Ivanti vulnerabilities

CISA disclosed last week that two internal systems were compromised via its Ivanti products, marking the latest development surrounding recent Ivanti zero-day vulnerabilities.

On Jan. 10, Ivanti published an advisory for an authentication bypass vulnerability in Ivanti Policy Secure tracked as CVE-2023-46805 and a command injection flaw in certain versions of Ivanti Connect Secure tracked as CVE-2024-21887. Chained together, the bugs are capable of remote code execution. Cybersecurity companies have observed mass exploitation of the flaws.

At the end of January, Ivanti patched both vulnerabilities along with another zero day, a server-side request forgery flaw tracked as CVE-2024-21893.

Last Friday, The Record first reported a threat actor has breached two internal systems at CISA that utilized Ivanti products. CISA confirmed the attack in a statement shared with TechTarget Editorial. The agency said malicious activity was first detected about a month ago, and there was "no operational impact." Although CISA did not say the attack was connected to recent Ivanti zero-day flaws, the agency strongly urged organizations to "review our latest Ivanti advisory and take the steps outlined in it to protect their systems."

In that advisory, CISA provided additional technical information and indicators of compromise for the aforementioned zero days and questioned the effectiveness of Ivanti's Integrity Checker Tool (ICT). The agency said "Ivanti's internal and previous external ICT failed to detect compromise" in multiple incident response engagements. CISA also said it conducted independent lab testing that showed "the Ivanti ICT is not sufficient to detect compromise," though Ivanti pushed back on these findings.

Questions remain regarding whether CISA's own breach involved ICT failing to detect compromised devices or if the latest version of Ivanti's external ICT sufficiently detects compromises.

On this episode of the Risk & Repeat podcast, TechTarget editors Rob Wright and Alex Culafi discuss the latest events surrounding the CISA hack and recent Ivanti zero days.

Subscribe to Risk & Repeat on Apple Podcasts.

Alexander Culafi is senior information security news writer and podcast host for TechTarget Editorial.