Federal civilian agencies have until midnight Saturday morning to sever all network connections to Ivanti VPN software, which is currently under mass exploitation by multiple threat groups. The US Cybersecurity and Infrastructure Security Agency mandated the move on Wednesday after disclosing three critical vulnerabilities in recent weeks.
Three weeks ago, Ivanti disclosed two critical vulnerabilities that it said threat actors were already actively exploiting. The attacks, the company said, targeted “a limited number of customers” using the company’s Connect Secure and Policy Secure VPN products. Security firm Volexity said on the same day that the vulnerabilities had been under exploitation since early December. Ivanti didn’t have a patch available and instead advised customers to follow several steps to protect themselves against attacks. Among the steps was running an integrity checker the company released to detect any compromises.
Almost two weeks later, researchers said the zero-days were under mass exploitation in attacks that were backdooring customer networks around the globe. A day later, Ivanti failed to make good on an earlier pledge to begin rolling out a proper patch by January 24. The company didn’t start the process until Wednesday, two weeks after the deadline it set for itself.
And then, there were three
Ivanti disclosed two new critical vulnerabilities in Connect Secure on Wednesday, tracked as CVE-2024-21888 and CVE-2024-21893. The company said that CVE-2024-21893—a class of vulnerability known as a server-side request forgery—“appears to be targeted,” bringing the number of actively exploited vulnerabilities to three. German government officials said they had already seen successful exploits of the newest one. The officials also warned that exploits of the new vulnerabilities neutralized the mitigations Ivanti advised customers to implement.
Hours later, the Cybersecurity and Infrastructure Security Agency—typically abbreviated as CISA—ordered all federal agencies under its authority to “disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks” no later than 11:59 pm on Friday. Agency officials set the same deadline for the agencies to complete the Ivanti-recommended steps, which are designed to detect if their Ivanti VPNs have already been compromised in the ongoing attacks.
The steps include:
- Identifying any additional systems connected or recently connected to the affected Ivanti device
- Monitoring the authentication or identity management services that could be exposed
- Isolating the systems from any enterprise resources to the greatest degree possible
- Continuing to audit privilege-level access accounts.
The directive went on to say that before agencies can bring their Ivanti products back online, they must follow a long series of steps that include factory-resetting their system, rebuilding them following Ivanti’s previously issued instructions, and installing the Ivanti patches.
“Agencies running the affected products must assume domain accounts associated with the affected products have been compromised,” Wednesday’s directive said. Officials went on to mandate that by March 1, agencies must have reset passwords “twice” for on-premises accounts, revoke Kerberos-enabled authentication tickets, and then revoke tokens for cloud accounts in hybrid deployments.
Steven Adair, the president of Volexity, the security firm that discovered the initial two vulnerabilities, said its most recent scans indicate that at least 2,200 customers of the affected products have been compromised to date. He applauded CISA’s Wednesday directive.
“This is effectively the best way to alleviate any concern that a device might still be compromised,” Adair said in an email. “We saw that attackers were actively looking for ways to circumvent detection from the integrity checker tools. With the previous and new vulnerabilities, this course of action around a completely fresh and patched system might be the best way to go for organizations to not have to wonder if their device is actively compromised.”
The directive is binding only on agencies under CISA’s authority. Any user of the vulnerable products, however, should follow the same steps immediately if they haven’t already.