The Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive to all Federal Civilian Executive Branch agencies, ordering them to disconnect all Ivanti appliances from their networks within 48 hours due to active exploitation of multiple security flaws in these systems by various threat actors. This follows a warning from security researchers that Chinese state-backed cyberattackers known as UNC5221 have been exploiting at least two vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure appliances.
The vulnerabilities include an authentication bypass flaw and a command injection flaw, both of which have been exploited as zero-days and since their disclosure in early January. Additionally, a server-side request forgery flaw and a privilege escalation vulnerability have also been identified in these systems. Ivanti disclosed that the server-side request forgery flaw has already been used in targeted attacks as a zero-day.
Agencies are required to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from their networks by a specified deadline. This directive applies to 102 federal civilian executive branch agencies, including the Department of Homeland Security, Department of Energy, Department of State, Office of Personnel Management, and the Securities and Exchange Commission.
Private entities using Ivanti appliances are strongly advised to take similar steps to protect their networks from potential exploitation. The urgency of the directive is highlighted by the fact that CISA is insisting on physically disconnecting the appliances right away, rather than patching them, as attackers could potentially access domain accounts, cloud systems, and other connected resources.
CISA has provided instructions on looking for indicators of compromise, as well as how to reconnect the appliances to the networks after they have been rebuilt. The agency has also offered technical assistance to agencies lacking internal capabilities to carry out these actions.
Agencies are instructed to continue threat-hunting activities on systems connected to the appliances and to isolate these systems from enterprise resources as much as possible. They are also required to monitor authentication or identity management services that could have been exposed and audit access accounts for any privilege-level access.
To reconnect the Ivanti appliances, agencies are instructed to export the appliances’ configuration settings, perform a factory reset, and then rebuild the appliances. The software of the appliances must be upgraded to specific versions through the official download portal. After the upgrade is complete, the configuration settings can be imported back onto the appliance.
Agencies are also required to revoke and reissue all connected or exposed certificates, keys, and passwords and report the status of these steps to CISA by a specified deadline. Additionally, agencies are instructed to reset passwords twice for on-premise accounts, revoke Kerberos tickets, and revoke tokens for cloud accounts. Cloud-joined or registered devices are also to be disabled to revoke the device tokens.
Overall, the directive emphasizes the urgency of disconnecting and rebuilding Ivanti appliances to safeguard federal networks from exploitation by threat actors. It underscores the need for comprehensive steps to address potential compromises and strengthen the security of these systems.