HomeCII/OTCISA Directs Ivanti VPN Appliances to be Disconnected: What Steps to Take

CISA Directs Ivanti VPN Appliances to be Disconnected: What Steps to Take

Published on

spot_img

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive to all Federal Civilian Executive Branch agencies, ordering them to disconnect all Ivanti appliances from their networks within 48 hours due to active exploitation of multiple security flaws in these systems by various threat actors. This follows a warning from security researchers that Chinese state-backed cyberattackers known as UNC5221 have been exploiting at least two vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure appliances.

The vulnerabilities include an authentication bypass flaw and a command injection flaw, both of which have been exploited as zero-days and since their disclosure in early January. Additionally, a server-side request forgery flaw and a privilege escalation vulnerability have also been identified in these systems. Ivanti disclosed that the server-side request forgery flaw has already been used in targeted attacks as a zero-day.

Agencies are required to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from their networks by a specified deadline. This directive applies to 102 federal civilian executive branch agencies, including the Department of Homeland Security, Department of Energy, Department of State, Office of Personnel Management, and the Securities and Exchange Commission.

Private entities using Ivanti appliances are strongly advised to take similar steps to protect their networks from potential exploitation. The urgency of the directive is highlighted by the fact that CISA is insisting on physically disconnecting the appliances right away, rather than patching them, as attackers could potentially access domain accounts, cloud systems, and other connected resources.

CISA has provided instructions on looking for indicators of compromise, as well as how to reconnect the appliances to the networks after they have been rebuilt. The agency has also offered technical assistance to agencies lacking internal capabilities to carry out these actions.

Agencies are instructed to continue threat-hunting activities on systems connected to the appliances and to isolate these systems from enterprise resources as much as possible. They are also required to monitor authentication or identity management services that could have been exposed and audit access accounts for any privilege-level access.

To reconnect the Ivanti appliances, agencies are instructed to export the appliances’ configuration settings, perform a factory reset, and then rebuild the appliances. The software of the appliances must be upgraded to specific versions through the official download portal. After the upgrade is complete, the configuration settings can be imported back onto the appliance.

Agencies are also required to revoke and reissue all connected or exposed certificates, keys, and passwords and report the status of these steps to CISA by a specified deadline. Additionally, agencies are instructed to reset passwords twice for on-premise accounts, revoke Kerberos tickets, and revoke tokens for cloud accounts. Cloud-joined or registered devices are also to be disabled to revoke the device tokens.

Overall, the directive emphasizes the urgency of disconnecting and rebuilding Ivanti appliances to safeguard federal networks from exploitation by threat actors. It underscores the need for comprehensive steps to address potential compromises and strengthen the security of these systems.

Source link

Latest articles

CrowdStrike Global Threat Report: Increase of 75% in Cloud Intrusions

CrowdStrike's annual Global Threat Report for 2024 was released on Wednesday, revealing concerning statistics...

AI Generated Patches May Reduce Developer and Operations Workload

Large language models (LLMs) are offering a tantalizing prospect of speeding up software development...

VMware advises administrators to remove deprecated and vulnerable authentication plug-in

VMware Issued A Warning About Authentication System Vulnerability Specialists at VMware are strongly recommending administrators...

Could ransomware provider LockBit be responsible for the Lurie hack?

Following what has been described as a major breakthrough in the cyberattack against Lurie...

More like this

CrowdStrike Global Threat Report: Increase of 75% in Cloud Intrusions

CrowdStrike's annual Global Threat Report for 2024 was released on Wednesday, revealing concerning statistics...

AI Generated Patches May Reduce Developer and Operations Workload

Large language models (LLMs) are offering a tantalizing prospect of speeding up software development...

VMware advises administrators to remove deprecated and vulnerable authentication plug-in

VMware Issued A Warning About Authentication System Vulnerability Specialists at VMware are strongly recommending administrators...
en_USEnglish