The Cybersecurity and Infrastructure Security Agency (CISA) recently made a public announcement regarding a breach that occurred in its Chemical Security Assessment Tool (CSAT) in January. The breach was a result of an attack that targeted Ivanti zero-day vulnerabilities, compromising the online portal that provides surveys and applications to assess high-risk chemical facilities under the U.S. government’s Chemical Facility Anti-Terrorism Standards program.
In a notification letter sent to stakeholders on June 20, CISA Associate Director Kelly Murray revealed that an unnamed threat actor exploited the tool from Jan. 23-26. Although there was no evidence of data exfiltration, the breach potentially allowed unauthorized access to sensitive information, including Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program submissions, and CSAT user accounts. Of particular concern were the Personnel Surety Program submissions, which contain personally identifiable information such as aliases, passport numbers, redress numbers, Global Entry ID numbers, and more.
The breach was traced back to CSAT’s Ivanti Connect Secure appliance, where a malicious actor installed an advanced webshell that could execute malicious commands or write files to the underlying system. While the CSAT data was encrypted with AES-256 and additional security controls were in place, the breach raised significant security concerns.
This incident followed a previous disclosure in March, where CISA reported that two of its systems were compromised via vulnerabilities in Ivanti products. These vulnerabilities were zero-days that Chinese nation-state actors had exploited. One of the vulnerabilities was an authentication bypass flaw in Ivanti Policy Secure, while the other was a command injection vulnerability in Ivanti Connect Secure.
In response to these security incidents, CISA had previously raised concerns about the effectiveness of Ivanti’s Integrity Checker Tool (ICT) in detecting compromises. Mitre, a not-for-profit research and development firm responsible for managing the CVE system, also reported a breach linked to the exploitation of the Ivanti zero-days by nation-state threat actors.
In light of the breach, CISA advised chemical facilities to enhance their cyber and physical security measures. The agency recommended that individuals with CSAT accounts reset passwords for any accounts, business or personal, that shared the same password to mitigate the risk of future attacks.
While CISA’s investigation found no evidence of data exfiltration, the agency took the necessary steps to inform participants in the Chemical Facility Anti-Terrorism Standards program about the intrusion and the potentially impacted information. TechTarget Editorial reached out to Ivanti for additional comments, but the company had not responded at the time of publication.
Overall, the breach of CSAT highlighted the ongoing cybersecurity challenges faced by government agencies and organizations alike. As threats continue to evolve, it is crucial for all entities to remain vigilant and proactive in safeguarding their sensitive data and systems against malicious actors.