US Agencies Must Disconnect Ivanti VPN Devices Amid ‘Substantial Threat’: CISA

The cybersecurity agency has ordered the VPN disconnection by a Saturday deadline, as attackers exploit multiple vulnerabilities in Ivanti Connect Secure devices.

U.S. agencies must disconnect Ivanti Connect Secure VPNs by a Saturday deadline, as attackers continue to exploit multiple vulnerabilities in the devices, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said.

The CISA order is an update to its previous “emergency directive” about the threat to Ivanti Connect Secure devices, issued Jan. 19.

“As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks,” CISA said in the updated directive to federal agencies in the civilian executive branch Wednesday.

The CISA directive is also a signal to private-sector organizations about the ongoing seriousness of the threat, which has seen thousands of Ivanti Connect Secure devices compromised, according to researchers.

The directive cites CISA’s capacity to issue such orders in response to an incident that “represents a substantial threat to the information security of an agency.”

Earlier this week, CISA warned that the Connect Secure vulnerabilities, first disclosed Jan. 10, continue to be exploited by attackers. Threat actors, in fact, have now figured out a way to bypass Ivanti’s previously released mitigations, CISA said Tuesday.

Widespread Attacks

The Ivanti vulnerabilities have seen “broad exploitation activity” by a China-linked threat group tracked as UNC5221, as well as “other uncategorized threat groups,” researchers at Mandiant reported Wednesday.

The attacks by UNC5221 — a “suspected China-nexus espionage threat actor” — go back as far as Dec. 3, the researchers at Google Cloud-owned Mandiant said.

Ivanti released the first patch for two widely exploited Connect Secure vulnerabilities Wednesday while also disclosing two additional zero-day flaws affecting the devices. An Ivanti spokesperson told CRN that the patch addresses both sets of vulnerabilities.

One of the newly disclosed flaws — a server-side request forgery vulnerability (tracked at CVE-2024-21893) — has seen exploitation so far, Ivanti said.

The original vulnerabilities are an authentication bypass vulnerability (tracked at CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887). The vulnerabilities can be used together by threat actors to target customers of its Connect Secure VPN, Ivanti has said.

When used in this way, “exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system,” the company said.

The vulnerabilities “impact all supported versions” of Connect Secure, according to Ivanti. The flaws also impact Ivanti’s Policy Secure gateway.

Variety Of Targets

Earlier this month, researchers at Volexity reported that “mass exploitation” of the Ivanti Connect Secure vulnerabilities was underway.

Victims of the attacks are “globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals,” wrote the Volexity researchers, who first discovered the flaws in December, in a previous post.

More than 2,100 Ivanti Connect Secure VPN devices have been compromised in the attacks, according to the latest update from Volexity, published Jan. 18.

The initial patch for multiple versions of Ivanti Connect Secure was originally planned for release last week but had been delayed.

“The patches released on January 31 cover the majority of our customers,” Ivanti said in a statement Wednesday.