U.S. cybersecurity agency CISA has ordered federal agencies to urgently disconnect Ivanti VPN appliances given the risk of malicious exploitation due to multiple software flaws.
In an update to an emergency directive first published last week, CISA is now mandating that all federal civilian executive branch agencies — a list that includes the Homeland Security and the Securities and Exchange Commission — disconnect all Ivanti VPN appliances due to the “serious threat” posed by numerous zero-day vulnerabilities currently being exploited by malicious hackers.
Though federal agencies are typically given weeks to patch against vulnerabilities, CISA has ordered the disconnection of Ivanti VPN appliances within 48 hours.
“Agencies running affected products — Ivanti Connect Secure or Ivanti Policy Secure solutions — are required to immediately perform the following tasks: As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks,” reads the emergency directive, updated on Wednesday.
CISA’s warning comes just hours after Ivanti said it had uncovered a third zero-day flaw being actively exploited.
Security researchers say Chinese state-backed hackers have exploited at least two of the Ivanti Connect Secure flaws — tracked as CVE-2023-46805 and CVE-2024-21887 — since December. Ivanti on Wednesday said it had discovered two additional flaws — CVE-2024-21888 and CVE-2024-21893 — the latter of which has already been used in “targeted” attacks. CISA previously said it had “observed some initial targeting of federal agencies.”
Steven Adair, founder of cybersecurity company Volexity, told TechCrunch on Thursday that at least 2,200 Ivanti devices have been compromised to date. This is an increase of 500 from the 1,700 figure the company tracked earlier this month, though Volexity notes the “total number is likely much higher.”
In the update to its emergency directive, CISA has told agencies that after disconnecting the vulnerable Ivanti products, agencies must continue threat hunting on any systems connected to the affected device, monitor the authentication or identity management services that could be exposed and continue to audit privilege level access accounts.
CISA has also provided instructions for restoring Ivanti appliances to online operation but has not given federal agencies a deadline to do so.
“CISA has effectively directed federal agencies on a method for deploying what would be considered a completely fresh and patched install of [Ivanti Connect Secure] VPN devices as a requirement to bring them back online,” Adair told TechCrunch. “If any organization wants to be fully assured their device is being operated from a known good and trusted state, that is likely the best course of action.”
Ivanti this week made patches available for some software versions affected by the three actively exploited vulnerabilities, after CISA warned in an advisory that malicious attackers had bypassed mitigations published for the first two vulnerabilities. Ivanti also urged customers to factory reset appliances before patching to prevent hackers from gaining persistence on their network.
Ivanti patches two zero-days under attack, but finds another