TOUGH MEDICINE — Agencies using vulnerable Ivanti products have until Saturday to disconnect them Things were already bad with two critical zero-days. Then Ivanti disclosed a new one.
Dan Goodin – Feb 1, 2024 11:45 pm UTC EnlargeGetty Images reader comments 29
Federal civilian agencies have until midnight Saturday morning to sever all network connections to Ivanti VPN software, which is currently under mass exploitation by multiple threat groups. The US Cybersecurity and Infrastructure Security Agency mandated the move on Wednesday after disclosing three critical vulnerabilities in recent weeks.
Further ReadingActively exploited 0-days in Ivanti VPN are letting hackers backdoor networksThree weeks ago, Ivanti disclosed two critical vulnerabilities that it said threat actors were already actively exploiting. The attacks, the company said, targeted a limited number of customers using the companys Connect Secure and Policy Secure VPN products. Security firm Volexity said on the same day that the vulnerabilities had been under exploitation since early December. Ivanti didnt have a patch available and instead advised customers to follow several steps to protect themselves against attacks. Among the steps was running an integrity checker the company released to detect any compromises.
Further ReadingMass exploitation of Ivanti VPNs is infecting networks around the globeAlmost two weeks later, researchers said the zero-days were under mass exploitation in attacks that were backdooring customer networks around the globe. A day later, Ivanti failed to make good on an earlier pledge to begin rolling out a proper patch by January 24. The company didnt start the process until Wednesday, two weeks after the deadline it set for itself. And then, there were three
Ivanti disclosed two new critical vulnerabilities in Connect Secure on Wednesday, tracked as CVE-2024-21888 and CVE-2024-21893. The company said that CVE-2024-21893a class of vulnerability known as a server-side request forgeryappears to be targeted, bringing the number of actively exploited vulnerabilities to three. German government officials said they had already seen successful exploits of the newest one. The officials also warned that exploits of the new vulnerabilities neutralized the mitigations Ivanti advised customers to implement. Advertisement
Hours later, the Cybersecurity and Infrastructure Security Agencytypically abbreviated as CISAordered all federal agencies under its authority to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks no later than 11:59 pm on Friday. Agency officials set the same deadline for the agencies to complete the Ivanti-recommended steps, which are designed to detect if their Ivanti VPNs have already been compromised in the ongoing attacks.
The steps include: Identifying any additional systems connected or recently connected to the affected Ivanti device Monitoring the authentication or identity management services that could be exposed Isolating the systems from any enterprise resources to the greatest degree possible Continuing to audit privilege-level access accounts.
The directive went on to say that before agencies can bring their Ivanti products back online, they must follow a long series of steps that include factory resetting their system, rebuilding them following Ivantis previously issued instructions, and installing the Ivanti patches.
Agencies running the affected products must assume domain accounts associated with the affected products have been compromised, Wednesdays directive said. Officials went on to mandate that by March 1, agencies must have reset passwords twice for on-premises accounts, revoke Kerberos-enabled authentication tickets, and then revoke tokens for cloud accounts in hybrid deployments.
Steven Adair, the president of Volexity, the security firm that discovered the initial two vulnerabilities, said its most recent scans indicate that at least 2,200 customers of the affected products have been compromised to date. He applauded CISAs Wednesday directive.
This is effectively the best way to alleviate any concern that a device might still be compromised, Adair said in an email. We saw that attackers were actively looking for ways to circumvent detection from the integrity checker tools. With the previous and new vulnerabilities, this course of action around a completely fresh and patched system might be the best way to go for organizations to not have to wonder if their device is actively compromised.
The directive is binding only on agencies under CISAs authority. Any user of the vulnerable products, however, should follow the same steps immediately if they havent already. reader comments 29 Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Advertisement Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars
