The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive ordering federal agencies to immediately patch or mitigate recently disclosed vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure products. The vulnerabilities are being actively exploited by state-sponsored Chinese hackers to compromise devices and networks globally.
Background
Ivanti provides software for secure remote access and network access control. The company’s products, Ivanti Connect Secure and Ivanti Policy Secure, are used by thousands of organizations worldwide, including various US federal agencies.
On January 11th, Ivanti disclosed two critical zero-day vulnerabilities affecting these products after researchers detected exploits in the wild. The flaws allow authentication bypass and arbitrary code execution, enabling attackers to gain full control of vulnerable servers.
Multiple cybersecurity firms and government agencies have since confirmed and tracked increasing exploitation of these vulnerabilities by suspected Chinese state-sponsored hackers. The campaign appears to be targeting foreign governments and militaries including agencies in the US, Canada, Australia, and Europe.
Details of the Emergency Directive
On January 19th, CISA issued Emergency Directive 24-01 ordering federal civilian agencies to immediately apply available patches or implement workarounds for the flaws.
The directive notes that exploitation of the Ivanti vulnerabilities is expected to increase rapidly, potentially compromising hundreds of thousands of devices globally. It states that compromise of federal networks via these vulnerabilities could severely impact security and emergency services, causing “possible loss of life and catastrophic economic damage.”
Required Mitigations
The mitigations agencies must take include:
- Patching vulnerable Ivanti servers to the latest software versions immediately
- Implementing available device configuration workarounds to block exploitation
- Disconnecting or disabling vulnerable Ivanti devices if patching is not an option
- Using network segmentation controls to isolate vulnerable systems
Additionally, agencies must report compliance with the mandated mitigations to CISA within 10 business days.
Attacks Rapidly Increasing
In the days since Ivanti’s disclosure, significant developments have shown attacks exploiting the vulnerabilities accelerating across the globe:
- January 16th: Ivanti reported attacks compromising over 1700 VPN servers from multiple countries
- January 18th: Researchers uncovered a third zero-day in exploited Ivanti devices
- January 19th: CISA estimated over 200 US federal agencies using vulnerable Ivanti software
Cybersecurity firms tracking the attacks assess that tens of thousands of vulnerable endpoints have already been compromised by hackers.
Furthermore, they warn that any organization using Ivanti Connect Secure before version 9.8 or Ivanti Policy Secure before version 5.8 could be at risk.
Chinese State Hackers Behind Exploits
Multiple cybersecurity companies have attributed exploitation of the Ivanti flaws to Chinese state-sponsored hackers with high confidence. Specifically:
- Mandiant tracked activity to a Chinese group known as UNC3890
- Anomali identified techniques used by groups APT41 and BARIUM
- Microsoft and Crowdstrike have also linked the exploits to China
The hackers appear to have had access to the zero-days prior to their public disclosure, suggesting the vulnerabilities were stolen or purchased through underground markets. The exploits enable them to gain remote admin access and are being used as part of larger cyber espionage campaigns.
Targets compromised so far lean heavily towards Western military and foreign affairs related agencies.
Potential Impact and Outlook
With many Ivanti customers still unpatched and scrambling to mitigate, experts assess the situation remains extremely concerning:
- Widespread credential theft and network infiltration expected
- Sensitive government and military data is at risk
- Hackers could utilize networks as launch points for further attacks
While federal civilian agencies should now be enacting CISA’s mandated mitigations, there are fears these developments could be just the tip of the iceberg.
Similar emergency directives and warnings have gone out to government and public sector entities in Canada, the UK, Australia and beyond. However, many private sector companies affected may still remain unaware their systems have already been compromised via the Ivanti flaws.
In the US, the priority has now shifted to compliance enforcement and trying to track inevitable fallout from agencies or networks that failed to mitigate in time. But globally there are worries of a long tail of incident response activities needed to uncover and remediate intrusions in the months ahead.
Notable Recent Statements
Cybersecurity leaders and government officials have made stark warnings over the last week highlighting the importance of patching:
“This activity poses an imminent threat to federal networks and requires an immediate and emergency action.” – CISA Director Jen Easterly
“The rapid weaponization and active exploitation of these vulnerabilities indicate we are likely still just seeing the tip of the iceberg.” – Charles Carmakal, Mandiant SVP
“Patching these vulnerabilities is mission critical for any organization using Ivanti products.” – National Cyber Security Center (UK)
Timeline of Key Events
| Date | Event |
|---|---|
| December 20th, 2022 | Suspected initial exploitations and vulnerabilities stolen/leaked |
| January 11th, 2023 | Ivanti discloses 2 critical zero-days after attacks detected |
| January 13th | detailed vulnerability analysis released |
| January 16th | Ivanti reports mass exploitation impacting 1700+ VPNs |
| January 18th | A third zero-day identified in ongoing analysis |
| January 19th | CISA issues emergency directive to US Federal agencies |
| January 19th | 200+ US agencies confirmed using vulnerable Ivanti software |
The timeline shows a very short 13 day window between initial public disclosure of the Ivanti flaws and confirmation of large-scale active exploitation impacting hundreds of US government networks. The rapid weaponization left many exposed and needing to mitigate quickly once the vulnerabilities and attacks came to light through January.
Looking Ahead
Over the next few months, organizations across various industries could uncover they have been impacted without realizing. There are further fears this incident could enable secondary attacks leveraging compromised networks and credentials.
While early warnings focused heavily on government agencies and militaries, implications likely reach into healthcare, finance, energy and other critical infrastructure sectors exposed through third party software.
The key priority now will be identifying and remediating breaches stemmed from these attacks to prevent adversaries converting network access into further data theft or operational disruption.
For impacted organizations, extensive log analysis, forensic investigation, credential resets and application of indicators of compromise will likely be required despite applying available Ivanti patches.
In summary, this emergency directive on critical Ivanti software vulnerabilities capped off three hectic weeks scrambling to contain active exploitation from suspected Chinese hackers. While early warnings prioritized government entities, the incident looks poised to cement itself as a landmark case study on the speed and scale of modern cyber campaigns. For any organization using Ivanti’s products, understanding exposure levels and mitigating risk remains essential given the likelihood of advanced persistent threat groups capitalizing on accesses obtained through these attacks for months ahead.
To err is human, but AI does it too. Whilst factual data is used in the production of these articles, the content is written entirely by AI. Double check any facts you intend to rely on with another source.
