February 1, 2024 at 08:52AM
CISA has directed U.S. federal agencies to disconnect vulnerable Ivanti Connect Secure or Policy Secure VPN appliances due to exploited bugs. Ivanti is targeted in attacks using zero-day flaws, prompting the release of security patches and mitigation instructions. Agencies are required to follow a series of steps to bring the Ivanti appliances back online and must report their progress to CISA.
Based on the meeting notes, the key takeaways are as follows:
1. The Cybersecurity and Infrastructure Security Agency (CISA) has issued a supplemental directive to disconnect all Ivanti Connect Secure or Policy Secure VPN appliances vulnerable to actively exploited bugs from U.S. federal agency networks by Saturday.
2. This directive is part of a response to several zero-day vulnerabilities that have been actively exploited by threat actors, including CVE-2023-46805 authentication bypass, CVE-2024-21887 command injection, and CVE-2024-21893 server-side request forgery.
3. Ivanti has released security patches for some affected software versions and provided mitigation instructions for devices awaiting patches or unable to be immediately secured.
4. There are currently over 22,000 Ivanti ICS VPNs exposed online, with more than 21,400 instances compromised worldwide, and almost 390 hacked devices discovered on January 31.
5. Federal agencies are required to disconnect all Ivanti VPN instances by Friday, February 2, and must subsequently hunt for signs of compromise, monitor authentication or identity management services, isolate enterprise systems, and audit privilege-level access accounts.
6. Once disconnected, agencies must follow a prescribed process to bring Ivanti appliances back online, including exporting configuration, factory resetting, rebuilding with patched software, and revoking certificates, keys, and passwords.
7. Agencies impacted by the Ivanti products are advised to assume that all linked domain accounts were compromised and take necessary actions, such as disabling joined/registered devices, double password reset, and revoking Kerberos tickers and cloud tokens.
8. Agencies are required to report their status on all actions to CISA using a provided CyberScope template and provide updates upon request or upon completion of all actions.
It’s important to ensure that these takeaways are communicated accurately to all relevant stakeholders and that any necessary actions are promptly initiated.