The US cybersecurity agency CISA has ordered federal agencies to urgently disconnect Ivanti VPN devices due to the risk of malicious exploitation due to multiple software flaws.
In an update to Emergency routing First rolled out last week, CISA now mandates all federal civilian executive branch agencies — and it stands These include the Department of Homeland Security and the Securities and Exchange Commission – Disconnect all Ivanti VPN devices due to the “serious threat” posed by several zero-day vulnerabilities that malicious hackers are currently exploiting.
Although federal agencies are typically given weeks to patch vulnerabilities, CISA ordered Ivanti VPN devices to be disconnected within 48 hours.
“Agencies managing the affected products – Ivanti Connect Secure or Ivanti Policy Secure solutions – are required to immediately perform the following tasks: As soon as possible and no later than 11:59 PM on Friday, February 2, 2024, disconnect all instances of Ivanti Connect Secure and “Ivanti Policy secure solutions products from agency networks,” said the emergency guidance, which was updated Wednesday.
CISA’s warning comes just hours after Ivanti announced it had uncovered a third zero-day vulnerability being actively exploited.
Security researchers say Chinese state-backed hackers have exploited at least two Ivanti Connect Secure flaws — tracked as CVE-2023-46805 and CVE-2024-21887 — since December. Ivanti said on Wednesday that it had discovered two additional flaws – CVE-2024-21888 and CVE-2024-21893 – the latter of which has already been used in “targeted” attacks. CISA previously said it had “observed some initial targeting of federal agencies.”
At least 2,200 Ivanti devices have been compromised so far, Stephen Adair, founder of cybersecurity firm Volexity, told TechCrunch on Thursday. That’s an increase of 500 from the 1,700 number the company tracked earlier this month, though Volexity notes that “the total number is likely much higher.”
In an update to its emergency guidance, CISA told agencies that after separating vulnerable Ivanti products, agencies should continue to hunt threats on any systems connected to the affected device, monitor authentication or identity management services that could be exposed, and continue auditing access accounts to the privilege level.
CISA also provided instructions to bring Ivanti devices back online but did not give federal agencies a deadline to do so.
“CISA has effectively steered federal agencies toward a way to deploy what would be considered a completely new and patched installation [Ivanti Connect Secure] “VPN devices as a condition of getting them back online,” Adari told TechCrunch. “If an organization wants to be completely certain that its equipment is operating from a known, good, and reliable state, this is likely the best course of action.”
Ivanti this week made patches available for some versions of software affected by the three vulnerabilities that were being actively exploited, after CISA warned in a statement. Advisor That malicious attackers bypassed published mitigations for the first two vulnerabilities. Ivanti also urged customers to factory reset devices before performing a patch to prevent hackers from gaining traction on their network.