February 29, 2024 at 03:40PM
The U.S. Cybersecurity Agency (CISA) revealed that attackers breaching Ivanti appliances can maintain root persistence after factory resets. Four vulnerabilities allow evasion of Ivanti’s Integrity Checker Tool, with ratings from high to critical. CISA warned of compromised Ivanti devices’ significant risk and ordered federal agencies to disconnect and rebuild affected devices due to substantial threats.
Key takeaways from the meeting notes:
– The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that attackers who breached Ivanti appliances using multiple vulnerabilities can maintain root persistence even after performing factory resets.
– Ivanti’s Integrity Checker Tool (ICT) failed to detect compromise, and the severity ratings for the four vulnerabilities mentioned ranged from high to critical, allowing for various types of exploitation.
– Ivanti responded by stating that remote attackers attempting to gain root persistence on an Ivanti device using the method CISA found would lose connection to the Ivanti Connect Secure appliance.
– CISA urged all Ivanti customers to consider the significant risk of adversary access and persistence on Ivanti Connect Secure and Policy Secure gateways and ordered all federal agencies to disconnect and reset compromised Ivanti devices.
Overall, the meeting notes highlight the importance of addressing the vulnerabilities in Ivanti devices, the potential challenges in detecting compromise, and the actions recommended by CISA to mitigate the risk associated with using compromised Ivanti devices.