HQ/EMEAFind out how we can help your business
CISA has issued a critical directive ordering all US federal agencies to disconnect flawed Ivanti VPN appliances by Saturday.
CISA’s directive came in response to multiple actively exploited vulnerabilities in the Ivanti Connect Secure and Policy Secure VPN appliances that pose a significant threat to the security of Federal Civilian Executive Branch (FCEB) agencies.
Moreover, the directive mandates FCEB agencies to promptly secure all Industrial Control Systems (ICS) and Intrusion Prevention Systems (IPS) devices on their networks. These issues come from the increasing exploitation of Ivanti bugs in the wild by various threat actors targeting two zero-day flaws.
The Ivanti VPN appliances attracted various malicious entities due to their cyberattack susceptibility.
Since December, Ivanti VPN appliances have become the primary target of attacks utilising the CVE-2023-46805 authentication bypass and the CVE-2024-21887 command injection security vulnerabilities.
In addition, a third actively exploited zero-day vulnerability (CVE-2024-21893) enables hackers to avoid authentication on vulnerable ICS, IPS, and Zero Trust Architecture (ZTA) gateways.
Ivanti addressed these issues by releasing security patches for compromised software versions and providing mitigation instructions for devices awaiting updates or unable to be immediately secured against ongoing attacks.
The company also advised its customers to run a factory reset on every vulnerable appliance before applying the patches to thwart the attackers’ attempts to gain network persistence during software updates.
Currently, there are over 22,000 exposed Ivanti ICS VPNs online. Additionally, a separate tally reports that there are almost 390 compromised Ivanti VPN devices globally on January 31.
CISA has mandated federal agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure products from their networks by 11:59 PM on Friday, February 2. After disconnecting the devices, agencies must continue identifying signs of compromise on systems connected to or recently connected to the Ivanti devices.
Furthermore, agencies must monitor authentication or identity management services prone to exposure, isolate enterprise systems, and inspect privilege-level access accounts. The agency also clarified that organisations could bring Ivanti appliances back online if they can export configurations, factory reset the devices, rebuild them with patched software versions, reimport the configurations, and revoke all connected or exposed certificates, keys, and passwords.
On the other hand, federal agencies impacted by Ivanti products on their networks should assume that the attackers have compromised all linked domain accounts. In cloud environments, they should turn off joined/registered devices.
For hybrid setups, every agency should conduct a double password reset for all accounts and revoke the Kerberos tickers and cloud tokens. Lastly, agencies must report their status and progress to CISA using a provided CyberScope template, with updates upon CISA’s request or when all actions are complete after each recovery stage.
