The United States Cybersecurity and Infrastructure Security Agency has given Federal Civilian Executive Branch agencies 48 hours to rip out all Ivanti appliances in use on federal networks, over concerns that multiple threat actors are actively exploiting multiple security flaws in these systems.
The order is part of the supplemental direction accompanying last week's emergency directive.
Security researchers say Chinese state-backed cyberattackers known as UNC5221 have exploited at least two vulnerabilities both as zero-days and since disclosure in early January - an authentication bypass and a command injection flaw - in Ivanti Connect Secure.
Private entities with Ivanti appliances in their environments are strongly recommended to prioritize taking these same steps to protect their networks from potential exploitation.
Because Ivanti appliances bridge the organization's network to the broader Internet, compromising these boxes means attackers can potentially access domain accounts, cloud systems, and other connected resources.
The recent warnings from Mandiant and Volexity that multiple threat actors are exploiting the flaws in mass numbers is likely why CISA is insisting on physically disconnecting the appliances right away.
CISA provided instructions on looking for indicators of compromise, as well as how to reconnect everything to the networks after the appliances are rebuilt.
CISA also said it will provide technical assistance to agencies without internal capabilities to carry out these actions.
How To Reconnect Appliances The Ivanti appliances cannot just be reconnected to the network, but need to be rebuilt and upgraded to remove the vulnerabilities and anything attackers may have left behind.
Agencies are instructed to first export the appliance's configuration settings, perform a factory reset, and then rebuild the appliance.
The appliance's software must be upgraded through the official download portal to one of the following versions: 9.1R18.3, 22.4R2.2, 22.5R1.1, 9.1R14.4, or 9.1R17.2.
Once the upgrade is complete, the configuration settings can be imported back onto the appliance.
The assumption is that the appliances have been compromised, so the next step is to revoke and reissue all connected or exposed certificates, keys, and passwords.
That includes resetting the admin enable password, stored API keys, and the password of any local user defined on the gateway, such as service accounts used for auth server configuration.
Agencies must report to CISA the status of these steps by Feb. 5, 11:59PM EST. Assume Compromise It is safer to assume that all services and domain accounts connected to the appliances have been compromised and to act accordingly, than trying to guess which systems may have been targeted.
Agencies must reset passwords twice for on-premise accounts, revoke Kerberos tickets, and revoke tokens for cloud accounts.
Cloud joined/registered devices needed to be disabled in order to revoke the device tokens.
Agencies are required to report their status across all the steps by March 1, 11:59PM EST..
This Cyber News was published on www.darkreading.com. Publication date: Thu, 01 Feb 2024 22:10:22 +0000