IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Federal Cyber Agency Offlines 2 Systems After Ivanti Hack

CISA, which had previously issued warnings about hackers exploiting zero-day vulnerabilities in certain Ivanti products, now says that it has had its own systems compromised.

A hacking concept image of red exclamation mark over an infected network.
Shutterstock/Chor muang
After issuing a warning about Ivanti zero-day vulnerabilities, the federal Cybersecurity and Infrastructure Security Agency (CISA) has now suffered a pair of breaches because of the incident.

Hackers exploiting vulnerabilities in Ivanti products breached two CISA systems in February, according to Recorded Future. The agency said it immediately took those systems offline, and that no other systems were affected. A spokesperson said CISA saw “no operational impact at this time,” and “continue[s] to upgrade and modernize” its systems.

CISA has not disclosed which systems were impacted. However, Recorded Future reported that one was the Infrastructure Protection (IP) Gateway. Per CISA’s website, that gateway serves as the way that Department of Homeland Security partners access integrated IP tools, capabilities and information to conduct comprehensive critical infrastructure vulnerability assessments and other security-related business.

The other system was the Chemical Security Assessment Tool, a portal housing surveys and applications that chemical facilities must complete to help CISA assess the risks of terroristsweaponizing the chemicals they hold, as part of a lapsed federal program.

Randy Rose is senior director of security operations and intelligence at the Center for Internet Security. If those two systems were indeed breached, he said it was hard to imagine such an incident having an impact on local government, other than potentially making some online resources unavailable. Users of the systems who have a key contact at CISA should be able to reach out and learn about possible impacts, he said.

Lower-level governments, however, now face more risks in using Ivanti products. After the vulnerabilities were discovered, the Center for Internet Security scanned for it among lower governments, finding more than 100 devices.

The vulnerabilities are in products that have been widely used across the public and private sectors for providing secure remote connections, Rose said. This points to the importance of organizations adopting a layered approach to security and risk management, mitigating risk when one line of defense fails.

Local governments can boost defenses in part by ensuring they have good logs they regularly review, increasing the chance of detecting malicious activity and helping uncover root causes, Rose said. Governments should also identify the best sources for help, including the Multi-State Information Sharing and Analysis Center, the FBI and cyber insurance providers, among others.

Organizations who use Ivanti offerings can turn to CISA’s joint advisory for recommended mitigations.

National Cybersecurity Alliance Executive Director Lisa Plaggemier said the Ivanti exploitations are part of a trend of attackers targeting companies that do business with government. These hackers often see vendors as an easier route to hitting government entities, making it important for vendors to prioritize cybersecurity.

Software supply chain attacks are a continued risk. While organizations frequently discuss vendor security before signing contracts, there’s still need for greater transparency and collaboration with clients, Plaggemier said.

The situation with Ivanti is evolving. CISA and its partners updated their alert about Ivanti in February with new warnings. For one, it said attackers could evade detection by Ivanti’s Integrity Checking Tool. Ivanti responded by announcing the release of an improved version.

Additionally, CISA found via lab testing that “a cyber threat actor may be able to gain root-level persistence despite issuing factory resets.” Organizations should consider the persisting risks for Ivanti devices when deciding whether to keep using them in an enterprise environment, the alert said. Ivanti, meanwhile, countered that such persistence has not yet been observed in the wild.

Root-level persistence would mean threat actors have significant access to a device that could help them manipulate the system to disguise activities. That could include deleting logs or perhaps making activities appear to be coming from the system itself rather than from a user, Rose said. If attackers only have access to a device, organizations can just take the device offline. But if attackers are able to pivot from the device into other parts of the network, they become harder to eradicate, he said.

Cybersecurity company Mandiant suspects Chinese government-linked cyber espionage actors were behind the initial exploitations. While Rose’s organization does not do attribution, he said nation-state actors that compromise security vendors for software supply chain attacks are often looking to gain footholds in systems to maintain long term, potentially using for later attacks. They might use this access for conducting influence operations or potentially taking systems offline to cause economic harm.
Jule Pattison-Gordon is a senior staff writer for Governing and former senior staff writer for Government Technology, where she'd specialized in cybersecurity. Jule also previously wrote for PYMNTS and The Bay State Banner and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.