Threat Actor May Have Accessed Sensitive Info on CISA Chemical App

An unknown threat actor may have accessed critical information on US chemical facilities by compromising the US Cybersecurity and Infrastructure Security Agency's (CISA) Chemical Security Assessment Tool (CSAT) earlier this year, by way of known Ivanti flaws.

Data the adversary may have accessed includes the types and quantities of chemicals stored at different facilities, facility-specific security vulnerability assessments, site security plans, and personnel identity information of individuals who might have sought access to restricted areas at high-risk facilities.

Anti-Terror Related Data

CISA required chemical facilities around the country to provide this information as part of the Department of Homeland Security's Chemical Facility Anti-Terrorism Standards (CFATS) program to enhance security at high-risk chemical facilities in the US. CFATS expired in July 2023.

According to CISA, a threat actor may have accessed data in its CSAT application after chaining together several zero-day vulnerabilities Ivanti disclosed earlier this year in its Connect Secure appliance. In a notification letter to stakeholders, DHS associate director Kelly Murray said the intrusion happened during a two-day period, sometime between Jan. 23 and Jan. 26, 2024.

After gaining access to the Ivanti appliance, the threat actor deployed a web shell on it that enabled remote command execution and arbitrary file writes to the underlying system, Murray said. The attacker accessed the web shell several times during the two-day period but there is no evidence of any data exfiltration or lateral movement beyond the Ivanti device, she said.

"While CISA's investigation found no evidence of exfiltration of data, this may have resulted in the potential unauthorized access of Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program submissions, and CSAT user accounts," Murray said. "All information in CSAT was encrypted using AES 256 encryption and information from each application had additional security controls limiting the likelihood of lateral access," she noted.

Even so, David Brumley, CEO of ForAllSecure, says the CVEs that CISA pointed to in its advisory would allow an attacker to go from a remote and unprivileged status over the network to having full access. And at least one of the vulnerabilities already has a public exploit, Brumley says.
"CISA is saying for users to rotate their passwords, but I'm sure internally they're doing an internal investigation as well," he notes. "The vulnerabilities listed would have given attackers access to key parts of the network potentially."  
Brumley says its somewhat ironic that the very entity that notified other organizations about these vulnerabilities became a victim itself.

"If CISA can't patch fast enough, what does that say about the rest of us?", Brumley says. "We need to be investing in quicker turnarounds from time-of-vulnerability-disclosure to having all systems patched."

Potential Safety Implications

Howard Goodman, technical director at Skybox Security, says the breach has potential security implications given the nature of the CSAT tool and the sensitive data it contains. "The exposure of chemical inventories and security plans could potentially be exploited by malicious actors to target facilities, posing risks to public safety and the environment," Goodman says.

Affected organizations should conduct a thorough review of their existing cybersecurity measures and, if needed, update them. They should also consider enhancing physical and cybersecurity measures, especially in areas identified in their CSAT submission. In addition, they should "increase monitoring and threat detection capabilities to identify any suspicious activities that may indicate targeted attacks," Goodman says. "Engage in information sharing with industry peers and relevant government agencies to stay informed about potential threats and best practices."

Ivanti Zero-Days

The DHS breach notification did not identify the specific Ivanti vulnerability or vulnerabilities that the threat actor exploited to gain access to the CSAT application. However, it directed stakeholders to a CISA advisory on Feb. 29, 2024, that warned about exploit activity targeting three vulnerabilities in Ivanti Connect and Policy Secure Gateways: CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. The flaws affect all supported versions of Ivanti Connect Secure and Ivanti Policy Secure gateways. Attackers can exploit the vulnerabilities in a chained fashion to bypass authentication mechanisms, craft malicious requests, and execute arbitrary commands with admin level privileges on affected systems.

The flaws were among several critical vulnerabilities Ivanti disclosed earlier this year, prompting a complete overhaul of its security practices.

In an emailed comment, Roger Grimes, data-driven defense evangelist at KnowBe4, expressed some dissatisfaction with CISA's decision not to mention whether the agency had patched the flaws. 

"If they were exploited by a known vulnerability where a patch was available...why wasn't the patch installed?" Grimes said. "Was it simply due to the fact that the exploit happened faster than the patch could be applied [or] was the patch missed?"

CISA itself has recommended that all affected chemical facilities maintain their current cybersecurity and physical security postures and address vulnerabilities as they would normally.

"While the investigation found no evidence of credentials being stolen," CISA added, "CISA encourages individuals who had CSAT accounts to reset the passwords for any account, business or personal, which used the same password."