HQ/EMEAFind out how we can help your business
The CSAT breach that allegedly occurred earlier this year has prompted CISA to warn everyone regarding the potential of information leaks, especially key security evaluations and plans.
CISA has now confirmed that the Chemical Security Assessment Tool (CSAT) Ivanti Connect Secure appliance was compromised on January 23, 2024, allowing a threat actor to install a web shell on the device.
Subsequently, the threat actor used this web shell numerous times over two days. After CISA found the intrusion, they took the device offline to examine the threat actor’s behaviour and the potential data exposure.
CISA has not disclosed which vulnerabilities were exploited, but it utilised a CISA document that details threat actors leveraging various vulnerabilities on Ivanti Connect Secure and Policy Secure Gateway devices.
This document refers to three vulnerabilities tracked as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. All of these vulnerabilities were reported before CISA’s breach on January 23 and were rapidly exploited by threat actors. One vulnerability, CVE-2024-21888, was discovered on January 22, one day before CISA’s Ivanti device was compromised.
CISA claimed that the CSAT breach was unsuccessful because of its encryption protocol.
CISA claims that all data in the CSAT application is encrypted with AES 256 and that there is no proof of data theft from the CSAT breach. Still, the agency has opted to alert organisations and individuals out of caution.
However, even though CISA could not confirm the attack’s effectiveness, the number of potential persons and organisations whose data was at risk met the Federal Information Security Modernization Act’s (FISMA) major incident level.
The information that could have been exposed includes Personnel Surety Program submissions, Top-Screen surveys, Site Security Plans, Security Vulnerability Assessments, and CSAT user accounts.
These potentially impacted data could contain highly sensitive information regarding the security status and chemical inventory of sites that employ the CSAT instrument. CISA claims that the CSAT user accounts contained information such as aliases, place of birth, citizenship, passport number, redress Number, global entry ID number, and TWIC identification number.
While CISA claims there is no proof of credentials being stolen, it is recommended that all CSAT account holders change their passwords for any accounts that share the same password. Lastly, CISA disseminated separate notification letters for account holders and its personnel.
