CISA Releases Eviction Strategies Tool for Incident Response

CISA Issues Emergency Directive Amid Ongoing Attacks Against Ivanti Vulnerabilities By Reuters – February 5, 2024

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive amid the ongoing exploitation of critical vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure products. Attackers have been confirmed to use these flaws for network intrusion, sensitive data exfiltration, and malicious payload execution.

What Happened? The vulnerabilities are identified as CVE-2023-46805 (an authentication bypass flaw), which works in conjunction with vulnerability CVE-2024-21887 (a command injection vulnerability) being actively exploited in the wild against Ivanti’s widely deployed VPN and network access control solutions across federal agencies, critical infrastructure, and private enterprises.

Who Is In Immediate Danger? All organizations who use Ivanti Connect Secure (ICS) VPN and Ivanti Policy Secure (IPS). Mitigations are being mandated for Federal agencies within 48 hours, but the private sector should also take action.

When Was it Detected? Where? Initial detection was in early January 2024. Recent weeks have seen an uptick in attacks. Multiple federal networks have already been compromised, as noted by CISA, though specific victims were not named.

Why Does It Matter? Attackers will be able to bypass authentication and execute arbitrary commands as well as maintain persistence on the compromised network. With government and enterprise environments known for heavy usage of Ivanti’s solutions, the outcome can only be described as extremely damaging—think espionage to ransomware.

How to Respond? CISA has ordered federal agencies to take the following steps: 1. Disconnect affected Ivanti products until patches are applied, 2. Watch for indicators of compromise listed in CISA’s advisory, and 3. Apply temporary mitigations if they cannot patch now. Ivanti has made patches available, but systems that have not been patched may already be compromised. The FBI and NSA are helping with the incident response.

Official Statements CISA Director Jen Easterly stated, “This is an active threat and will require urgent steps to prevent further breaches.” Ivanti acknowledged the problem and urged its customers to follow its security bulletins for updates. This warning follows previous alerts from Mandiant and Volexity about attacks reportedly linked to suspected Chinese state actors.

Organizations should ensure patches are applied and networks are monitored to reduce this risk.