CISA Breached Via Ivanti VPN Vulnerabilities: Report
The cybersecurity agency reportedly confirmed that two of its systems were compromised a month ago.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reportedly confirmed that two of its systems were compromised in February by hackers that exploited Ivanti VPN vulnerabilities.
The report Friday in Recorded Future News pinpointed the timing of the CISA breach as taking place around a month ago.
CISA reportedly did not answer several questions including about whether data had been stolen.
CRN has reached out to CISA and Ivanti for comment.
On Feb. 29, CISA warned organizations to “consider the significant risk” that may be posed by continuing to use widely exploited Ivanti VPNs, but did not disclose it had fallen victim itself to a compromise through the vulnerabilities.
As part of the Feb. 29 advisory, CISA shared results of its independent lab research showing that even a factory reset of Ivanti Connect Secure VPNs may not be sufficient to remove a threat actor’s foothold on the devices.
Previously, the mass exploitation of Connect Secure vulnerabilities prompted CISA to issue its first “emergency directive” of 2024 on Jan. 19. Then on Feb. 1, CISA ordered that federal civilian agencies take the extreme measure of temporarily disconnecting their Ivanti Connect Secure VPNs within 48 hours.
Three Connect Secure flaws have seen mass exploitation by attackers since the initial disclosure Jan. 10, according to security researchers.
The original vulnerabilities are an authentication bypass vulnerability (tracked at CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887). The vulnerabilities can be used together by threat actors to target customers of its Connect Secure VPN, Ivanti has said.
Researchers have also reported seeing widespread exploitation of a server-side request forgery vulnerability affecting Connect Secure, tracked at CVE-2024-21893.
Ivanti released the first patch for the original VPN vulnerabilities on Jan. 31, and has also shared mitigations for all five of the Connect Secure flaws disclosed since Jan. 10.
Ivanti, a provider of IT and security software, acquired the technology behind its Connect Secure VPN with the acquisition of Pulse Secure in 2020.