News, news analysis, and commentary on the latest trends in cybersecurity technology.
CISA Orders Ivanti VPN Appliances Disconnected: What to Do
US federal agencies have to disconnect, rebuild, and reconfigure all Ivanti Connect Secure and Policy Secure VPN appliances. This Tech Tip lists all the steps that need to happen.
February 1, 2024
The United States Cybersecurity and Infrastructure Security Agency (CISA) has given Federal Civilian Executive Branch agencies 48 hours to rip out all Ivanti appliances in use on federal networks, over concerns that multiple threat actors are actively exploiting multiple security flaws in these systems. The order is part of the supplemental direction accompanying last week's emergency directive (ED 24-01).
Security researchers say Chinese state-backed cyberattackers known as UNC5221 have exploited at least two vulnerabilities both as zero-days and since disclosure in early January — an authentication bypass (CVE-2023-46895) and a command injection (CVE-2024-21887) flaw — in Ivanti Connect Secure. In addition, Ivanti said this week that a server-side request forgery (CVE-2024-21893) flaw has already been used in "targeted" attacks as a zero day, and it disclosed a privilege-escalation vulnerability in the Web component of Ivanti Connect Secure and Ivanti Policy Secure (CVE-2024-21888) that was not yet observed in attacks in the wild.
"Agencies running affected Ivanti Connect Secure or Ivanti Policy Secure products are required to immediately perform the following tasks: As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks," CISA wrote in its supplemental direction.
CISA's directive applies to the 102 agencies listed as "federal civilian executive branch agencies," a list which includes the Department of Homeland Security, Department of Energy, Department of State, Office of Personnel Management, and the Securities and Exchange Commission (but not the Department of Defense).
Private entities with Ivanti appliances in their environments are strongly recommended to prioritize taking these same steps to protect their networks from potential exploitation.
Ivanti VPN Cyber-Risk: Rip It All Out
The instruction to disconnect, not patch, the products with just roughly 48 hours notice "is unprecedented," noted cloud security researcher Scott Piper. Because Ivanti appliances bridge the organization's network to the broader Internet, compromising these boxes means attackers can potentially access domain accounts, cloud systems, and other connected resources. The recent warnings from Mandiant and Volexity that multiple threat actors are exploiting the flaws in mass numbers is likely why CISA is insisting on physically disconnecting the appliances right away.
CISA provided instructions on looking for indicators of compromise (IoCs), as well as how to reconnect everything to the networks after the appliances are rebuilt. CISA also said it will provide technical assistance to agencies without internal capabilities to carry out these actions.
Agencies are instructed to continue threat-hunting activities on systems that were connected to, or recently connected, to the appliances, as well as to isolate the systems from enterprise resources "to the greatest degree possible." They should also monitor any authentication or identity management services that could have been exposed and audit privilege-level access accounts.
How To Reconnect Appliances
The Ivanti appliances cannot just be reconnected to the network, but need to be rebuilt and upgraded to remove the vulnerabilities and anything attackers may have left behind.
"If exploitation has occurred, we believe it is likely that the threat actor has taken an export of your running configurations with the private certs loaded on the gateway at time of exploit, and left behind a Web shell file enabling backdoor future access," Ivanti wrote in a knowledgebase article explaining how to rebuild the appliance. "We believe the purpose of this Web shell is to provide a backdoor to the gateway after the vulnerability is mitigated, for this reason we are recommending customers revoke and replace certificates to prevent further exploitation after mitigation."
Agencies are instructed to first export the appliance's configuration settings, perform a factory reset, and then rebuild the appliance.
The appliance's software must be upgraded through the official download portal to one of the following versions: 9.1R18.3, 22.4R2.2, 22.5R1.1, 9.1R14.4, or 9.1R17.2.
Once the upgrade is complete, the configuration settings can be imported back onto the appliance.
The assumption is that the appliances have been compromised, so the next step is to revoke and reissue all connected or exposed certificates, keys, and passwords. That includes resetting the admin enable password, stored API keys, and the password of any local user defined on the gateway, such as service accounts used for auth server configuration.
Agencies must report to CISA the status of these steps by Feb. 5, 11:59PM EST.
Assume Compromise
It is safer to assume that all services and domain accounts connected to the appliances have been compromised and to act accordingly, than trying to guess which systems may have been targeted. As such, agencies must reset passwords twice (double password reset) for on-premise accounts, revoke Kerberos tickets, and revoke tokens for cloud accounts. Cloud joined/registered devices needed to be disabled in order to revoke the device tokens.
Agencies are required to report their status across all the steps by March 1, 11:59PM EST.
About the Author
You May Also Like
Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024Safeguarding GitHub Data to Fuel Web Innovation
Nov 21, 2024The Unreasonable Effectiveness of Inside Out Attack Surface Management
Dec 4, 2024