How Ivanti’s Vulnerability Led to CISA Breach?

Data breaches are an ongoing threat to businesses of all sizes and types operating across industries. Violations can have a significant impact on large groups, small businesses, government agencies, and nonprofits. This is particularly true for industries such as the public sector, healthcare, and finance. The records compromised in these kinds of breaches are extremely valuable and range from classified government data to private personal information, financial data, and login credentials.

The strict regulatory penalties and repercussions further increase the burden agencies bear when a breach occurs. For instance, according to a file provided by IBM, the average cost of a healthcare data breach is USD 10.10 million, significantly more than the average cost of breaches in other industries. This blog covers the importance of cybersecurity to organizations as well as a recent incident in the Cybersecurity and Infrastructure Security Agency (CISA) and how the vulnerabilities were found in Ivanti products.

What Happened at CISA (Cybersecurity and Infrastructure Security Agency)?

The Cybersecurity and Infrastructure Security Agency (CISA), responsible for protecting critical infrastructure in the US was breached last month by a vulnerability in Ivanti software Ivanti products, specifically Connect Secure and Policy Safe, which many hacking groups have been targeting at all times. Since January, patches have been issued on security vulnerabilities of five important types, and attackers have exploited these known flaws.

Researchers have identified a new threat actor called Magnet Goblin, which specializes in exploiting recently revealed vulnerabilities before vendors release patches. This highlights an evolving cyber threat landscape, with attackers demonstrating increased speed and sophistication.

CISA promptly took two compromised systems offline upon detecting suspicious activity. While details regarding the specific systems remain undisclosed, reports suggest they might be critical infrastructure portals.

This incident underscores the importance of: 

• Prompt patching of vulnerabilities, especially those identified by CISA advisories.
• Re-evaluating the security of systems using potentially compromised software.
• Implementing robust incident response plans for swift identification and containment of breaches.

The diverse malware suite employed by Magnet Goblin emphasizes the need for comprehensive cybersecurity measures. Organizations must stay informed about emerging threats and adopt a proactive security posture to defend against these increasingly complex attacks.

How Ivanti Vulnerabilities Were Exploited?

The cybersecurity industry is extremely concerned about the attack of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which was caused by hackers taking advantage of weaknesses in Ivanti products. The Infrastructure Protection Gateway and the Chemical Security Assessment Tool (CSAT), two vital CISA systems, were compromised in this February hack. The sensitive information about the interdependency of private-zone chemical protection measures and U.S. infrastructure that was found in the compromised structures underscored the seriousness of the breach. In response, CISA took these structures offline to reduce additional risks and emphasized the need to have robust incident response strategies in place to strengthen organizational resilience against cyber threats.

CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, which are vulnerabilities exploited in Ivanti products, have been actively targeted by threat actors, one of which being a nation-state China. These vulnerabilities presented serious security threats by enabling remote code execution and unauthorized access on the compromised computers. Threat actors persisted in using these vulnerabilities despite attempts to patch them and release warnings, which resulted in an increase in attacks directed toward the Policy Secure and Ivanti Connect Secure gateways.

CISA’s response included disconnecting all federal civilian agencies in the U.S. from Ivanti products to prevent further exploitation until patches were applied. The agency also highlighted the limitations of Ivanti’s Integrity Checker Tool (ICT) in detecting compromises effectively, emphasizing the need for enhanced cybersecurity measures beyond relying solely on vendor tools. This incident serves as a stark reminder of the pervasive nature of cyber threats and underscores the critical importance of proactive cybersecurity practices, continuous monitoring, and swift incident response to safeguard critical infrastructure and sensitive information from malicious actors.

Impact of the Breach

The breach has sparked concerns regarding the security of sensitive industrial data housed within the affected systems. Despite reassurances from CISA that there is currently no operational impact, the potential ramifications of such breaches on national security cannot be underestimated. The absence of clear information regarding the attack’s nature, including potential data access or theft, underscores the necessity for heightened cybersecurity measures. 

How Can Kratikal Help Prevent Such Attacks?

Kratikal, a CERT-In empanelled auditor provides VAPT and compliance services. We also specialize in root cause analysis by our cyber security experts. Below are the steps that Kratikal follows:

Identifying the Problem

In the absence of a clearly defined issue, it becomes infeasible to look back and examine the strategies that led to the problem. Determining the nature and extent of the issue and how to address it is therefore a crucial step.

Identifying the Root Cause

Review the steps taken to determine the possible consequences of the identified problem. It’s important to acknowledge that there can be many causes, so write down all that apply. The security team at Kratikal is involved in brainstorming, using process maps, and using fish maps to better capture the various causes of the issue.

Come up with the Solutions

Additionally, having an intellectual session with the team is obviously useful. They have strong knowledge of the project and its execution, making them a valuable resource in developing solutions to solve the problem. 

Implementing the Solution

Remember that it is an isolated process; it must be ongoing. To ensure that the solution effectively achieves its intended purpose, patience and regular preservation are needed. This needs to be watched over and shared with everyone who might be affected by the suggested adjustments. 

Conclusion

The most recent breach of the United States Cybersecurity Infrastructure (CISA) due to vulnerabilities in Ivanti products serves as a reminder of the ongoing risk posed by cyber attackers. This event highlights how crucial it is to safeguard sensitive data by always being visible, having proactive cybersecurity planning, and acting quickly when something goes wrong. The significance of this type of intrusion, which transcends organizational boundaries, heightens concerns about national security, and highlights the need for cybersecurity monitoring throughout the plant’s entire lifespan. This blog also highlights the drawbacks of solely depending on provider equipment for cybersecurity and the need to have a strong incident response strategy. 

Kratikal, a CERT-In empanelled auditor, is trusted by over 450+ enterprises and SMEs worldwide. Our team of trained cybersecurity specialists offers complete security solutions to organizations of all sizes in a variety of industries. Trust Kratikal for Cyber Security Services to find and fix vulnerabilities before attackers exploit them. Work together with us to protect your digital assets effectively.

FAQs

Ref: https://www.scmagazine.com/news/cisa-breached-by-hackers-exploiting-ivanti-bugs

About The Author