US cybersecurity agency CISA ordered federal agencies to urgently disconnect Ivanti VPN devices due to the risk of malicious exploitation due to multiple software flaws.
In an update to one emergency directive First published last week, CISA now imposes on all federal civilian executive branch agencies — a list that includes National Security and the Capital Market Commission — disconnect all Ivanti VPN devices due to the “serious threat” posed by numerous zero-day vulnerabilities currently being exploited by malicious hackers.
While federal agencies are typically given weeks to patch vulnerabilities, CISA ordered Ivanti VPN devices disconnected within 48 hours.
“Companies running affected products — Ivanti Connect Secure or Ivanti Policy Secure solutions — should immediately perform the following tasks: As soon as possible and no later than 11:59 p.m. on Friday, February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure Solutions from agency networks,” the emergency directive, which was updated Wednesday, said.
CISA’s warning comes hours after Ivanti said it had uncovered a third zero-day flaw that it is actively exploiting.
Security researchers say Chinese state-backed hackers have exploited at least two of the Ivanti Connect Secure flaws — tracked as CVE-2023-46805 and CVE-2024-21887 — since December. Ivanti said Wednesday it had discovered two additional flaws — CVE-2024-21888 and CVE-2024-21893 — the latter of which has already been used in “targeted” attacks. CISA previously said it “observed some initial targeting of federal agencies.”
Steven Adair, founder of cybersecurity firm Volexity, told TechCrunch on Thursday that at least 2,200 Ivanti devices have been compromised to date. That’s an increase of 500 from the 1,700 number the company tracked earlier this month, though Volexity notes that “the total number is likely much higher.”
In the emergency directive update, CISA told agencies that after disconnecting vulnerable Ivanti products, companies should continue hunting for threats on all systems connected to the affected device, monitor authentication or identity management services that they could be exposed and continue to control privileges level access accounts.
CISA has also provided instructions for bringing the Ivanti devices back online, but has not given federal agencies a deadline to do so.
“CISA has essentially directed the federal agencies to a method for developing what could be considered a completely new and improved installation of [Ivanti Connect Secure] VPN devices as a requirement to get them back online,” Adair told TechCrunch. “If an organization wants to be completely confident that their device is operating from a known good and trusted state, this is probably the best course of action.”
Ivanti this week released patches for some software versions affected by the three actively exploited vulnerabilities, after CISA warned in advisory that malicious attackers had bypassed the mitigations published for the first two vulnerabilities. Ivanti also urged customers to factory reset devices before the patch to prevent hackers from gaining a foothold in their network.