CISA, FBI Issue Joint Advisory on Ivanti Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI), and other international partners have jointly released a Cybersecurity Advisory (CSA). 

The advisory is in response to the active exploitation of multiple vulnerabilities within Ivanti Connect Secure and Ivanti Policy Secure gateways.

The joint advisory offers technical insights into tactics employed by threat actors, along with indicators of compromise to aid in detecting malicious behavior.

CISA warns organizations using these devices should be vigilant, as sophisticated threat actors may establish persistence and remain dormant before engaging in malicious activities. 

“Since initial disclosure of these vulnerabilities, CISA and our partners have urgently worked to provide actionable guidance and assist impacted victims. This includes an emergency directive to remove and rebuild vulnerable Ivanti devices to reduce risk to federal systems upon which Americans depend,” says CISA Executive Assistant Director Eric Goldstein.

“Today’s joint advisory provides further details based upon industry partnerships, incident response findings, and evaluations of the relevant products. Every organization using these products is strongly encouraged to adopt the actions outlined in this advisory,” Goldstein adds.

Other international bodies involved include the Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), the Canadian Centre for Cyber Security (Cyber Centre), and New Zealand’s National Cyber Security Centre (NCSC-NZ), among others.

"We welcome findings from our security and government partners that enable our customers to protect themselves in the face of this evolving and highly sophisticated threat. To be clear, the 29 February advisory does not contain information on a new vulnerability, and Ivanti and our partners are not aware of any instances of successful threat actor persistence following implementation of the security updates and factory resets recommended by Ivanti," an Ivanti spokesperson told CDO Magazine.

"Ivanti, Mandiant, CISA, and the other JCSA authoring organizations continue to recommend that defenders apply available patching guidance provided by Ivanti if they haven’t done so already, and run Ivanti’s updated Integrity Checker Tool (ICT), released on 27 February, to help detect known attack vectors, alongside continuous monitoring," the spokesperson added.

In January, CISA issued an emergency directive, instructing all federal agencies to safeguard against a critical vulnerability in Ivanti Connect Secure, which enables federal government employees to connect to work remotely.

A critical vulnerability in the program, initially identified by the cybersecurity company Volexity in December, poses a serious threat by providing hackers substantial access to businesses or government agencies using it, and allows for the establishment of additional back doors for future access.

Note: The article has been updated with the official statement from Ivanti on March 5.