CISA Orders ‘Emergency’ Response Amid Ivanti VPN Attacks

With thousands of Ivanti Connect Secure devices compromised so far, CISA ordered federal agencies to ‘immediately’ implement protections against two zero-day vulnerabilities in the VPN system.

U.S. federal agencies must “immediately” comply with an emergency order to deploy vulnerability mitigation measures following widespread attacks against Ivanti Connect Secure VPN customers, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Friday.

The “emergency directive” from CISA “requires agencies to implement Ivanti’s published mitigation immediately to the affected products in order to prevent future exploitation.”

[Related: 10 Major Cyberattacks And Data Breaches In 2023]

The directive is also a signal to private-sector organizations about the seriousness of the threat, which has seen thousands of Ivanti Connect Secure devices compromised so far, according to researchers.

In its directive Friday, CISA said it has “observed widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions.”

CISA reported that it has seen “multiple threat actors” exploiting the vulnerabilities in attack campaigns against Ivanti customers.

“Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems,” the agency wrote in the directive. “CISA has determined these conditions pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require emergency action.”

‘Mass Exploitation’

The order, which is CISA’s first emergency directive of 2024, comes several days after researchers at Volexity reported that “mass exploitation” of the Ivanti Connect Secure vulnerabilities is underway.

Victims of the Ivanti VPN attacks are “globally distributed and vary greatly in size,” the researchers, who first discovered the flaws in December, wrote in a post Monday.

The victims range “from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals,” Volexity’s research team wrote in the post.

At least 2,100 Ivanti Connect Secure VPN devices have been compromised in the attacks, according to the latest update from Volexity, published Thursday.

The zero-day vulnerabilities were disclosed by Ivanti on Jan. 10 and do not currently have patches available. Ivanti has provided mitigation measures for the vulnerabilities. The company has also urged customers to use an external integrity checker tool (ICT), due to attempts by attackers to tamper with Ivanti’s internal integrity checker tool.

In a statement provided to CRN Friday, Ivanti expressed support for CISA’s decision to release an emergency directive over the issue.

“The Emergency Directive is consistent with Ivanti’s guidance from the initial advisory on 10 January that customers should apply mitigation and run the external ICT,” the company said.

Patches Planned For Next Week

Ivanti has said the first patches will be available starting next week, beginning on Monday. Patches will be released on a staggered schedule running through mid-February, the company said.

Ivanti, a provider of IT and security software, acquired the technology behind its Connect Secure VPN with the acquisition of Pulse Secure in 2020.

The attacks are coming from a nation-state threat actor Volexity tracks as UTA0178—which is believed to be working on behalf of China’s government—as well as other threat actors, Volexity researchers have said.

Exploitation of the Ivanti VPN vulnerabilities by a “suspected espionage threat actor” began in December, researchers at Mandiant reported last week, confirming earlier findings on the timing of the attacks by Volexity researchers.

The authentication bypass vulnerability (tracked at CVE-2023-46805) has been awarded a severity score of 8.2 out of 10.0, while the command injection vulnerability (CVE-2024-21887) has been awarded a severity score of 9.1 out of 10.0.

The vulnerabilities can be used together by threat actors to target customers of its Connect Secure VPN, Ivanti has said. When used in this way, “exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system,” the company said.

The vulnerabilities “impact all supported versions” of Connect Secure, Ivanti said. The flaws also impact Ivanti’s Policy Secure gateway.

The issue is separate from the critical Ivanti Endpoint Manager Mobile vulnerability that has seen exploitation in the wild, CISA disclosed Thursday.