Another day passes, another cyberattack strikes. This time, a recent incident impacted a major U.S. government entity known as the Cybersecurity and Infrastructure Security Agency (CISA). Back in February, CISA officials discovered that two of its internal computer systems were compromised by hackers who exploited bugs in Ivanti products, and both systems were taken offline once the breach was detected.
The two systems penetrated include CISA’s Infrastructure Protection (IP) Gateway, an integrated tool that allows Department of Homeland Security (DHS) partners to get information regarding U.S.-based critical infrastructure for the purpose of conducting risk assessments, and the Chemical Security Assessment Tool (CSAT), which is a portal that holds data such as private sector chemical security plans. Hackers were able to bypass Ivanti’s integrity checker tool (ICT) and deploy a web shell against CSAT. The technology on the systems used by CISA and other end-users was outdated and due for an update, which provided cybercriminals with the perfect opportunity to breach the agency’s software.
CISA revealed to Congress that the attack on the CSAT tool may have impacted more than 100,000 individuals, but according to officials there’s no evidence that suggests data theft or operational disruptions occurred.
Events leading up to the attack
Since the beginning of December 2023, Utah-based IT firm Ivanti identified a string of vulnerabilities connected to its remote access VPN, Connect Secure, and its network access control solution, Policy Secure. CISA issued alerts and guidance on recovery measures and vendor-recommended fixes/patches, but intruders have continued to evade detection and exploit the vulnerabilities over the past few months.
Who’s behind the attack?
A threat actor has not officially been attributed to this attack on CISA, but state-backed espionage groups linked to China are suspected of being responsible for the relentless exploitation of flaws in Ivanti’s network and endpoint solutions. Among the known collectives responsible for compromising at least one of the recent Ivanti flaws is a cyber syndicate operative known as “Magnet Goblin.” This group generally focuses on exploiting one-day vulnerabilities so that they can quickly capitalize on them the moment they are disclosed. This was the case when Ivanti published an advisory for the CVE-2024-21887 vulnerability. Magnet Goblin started targeting unpatched systems a day after a patch was released by the company.
The reality of cyber incidents today
The CISA breach serves as an example of how complex and dynamic the threat environment currently is for government agencies. CISA’s swift detection of suspicious activity followed by proactive steps to shut down the two critical systems underscores their commitment to being a resilient protector, especially in cases like this, which involved repeated, sophisticated attacks on the same software in the months leading up to the attack on CISA.
Lessons learned: The importance of IT modernization
A key takeaway from this situation is that legacy systems should be replaced regularly to lower the risk of third-party software containing vulnerabilities. Government entities of all sizes store sensitive information, so ensuring that all elements of the cybersecurity infrastructure are secure and up to date will help protect against known weaknesses and flaws.
Photo: Tada Images / Shutterstock
This post originally appeared on Smarter MSP.