In an emergency directive, the Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal agencies to disconnect all instances of Ivanti Connect Secure and Policy Secure solution products from agency networks no later than 11:59PM on Friday February 2, 2024.
Besides the Ivanti vulnerabilities actively exploited in massive numbers we wrote about on January 11, 2024, alerts sounded about two new high severity flaws on January 31, 2024.
CISA has taken this drastic step after noticing widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Policy Secure solutions with severe consequences:
“Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems.”
Based on that, CISA determined that these conditions pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and requires emergency action.
FCEB agencies using Ivanti Connect Secure and Ivanti Policy Secure solution will find a list of required actions in the emergency directive Supplemental Direction V1: Emergency Directive 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities.
These actions include threat hunting on any systems connected to—or recently connected to—the affected Ivanti device. CISA notes that agencies running the affected products must assume domain accounts associated with the affected products have been compromised.
Agencies have permission to reconnect devices only if they’ve been factory reset and updated according to Ivanti’s instructions.
How did it come this far?
On January 10, 2024 Ivanti released advisories about two actively exploited vulnerabilities in all supported versions of Ivanti Connect Secure and Ivanti Policy Secure Gateways. Active exploitation dates back as far as December 3, 2023. These vulnerabilities were listed as CVE-2023-46805 and CVE-2024-21887.
Ivanti provided a workaround and said patches would be released on a schedule based on versions, with the first coming out in the week of January 22. The last version will come out the week of February 19.
Soon after, reports started surfacing about several groups exploiting the vulnerabilities amassing as many as 1,700 compromised devices, with 7,000 more that remained vulnerable. Also, some security firms noticed a Chinese APT was able to bypass the mitigations.
New vulnerabilities came to light on January 31, 2024 listed as CVE-2024-21888 and CVE-2024-21893 where Ivanti remarked that it was aware of “a small number of customers who have been impacted by CVE-2024-21893 at this time.” Customers can read this KB article for detailed instructions on how to apply the new mitigation and how to apply the patch as each version becomes available.
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.