CISA directs agencies to mitigate widespread VPN bugs

Carlos Duarte/Getty Images

Two unpatched flaws in Ivanti's Connect Secure VPN are being exploited by hackers in the wild.

Federal civilian agencies are under emergency orders to address recently discovered flaws in a widely used virtual private network appliance from Ivanti that is currently being targeted by hackers linked to the People's Republic of China, officials said on Friday.

The Cybersecurity and Infrastructure Security Agency issued an emergency directive, ordering agencies to apply temporary mitigation measures to the as-yet unpatched vulnerability in Ivanti's Connect Secure VPN.

Eric Goldstein, CISA's executive assistant director for cybersecurity, told reporters on Friday that the vulnerability was serious.

"Exploitation allows deep access into the target network enabling data exfiltration, or persistence to achieve other objectives," Goldstein said, noting that about 15 agencies were using these products and have already applied mitigation measures.

"We are not at this time in a place where we can confirm compromise for any federal agencies," Golstein said, adding later in response to questions: "We are not assessing a significant risk to the federal enterprise, but we know that that risk is not zero." 

Goldstein didn't specify how many of the 15 agencies that were identified as using the targeted systems were involved in national security, but noted that it affected a "wide spectrum of agencies across the breadth of the federal mission."

Under the CISA directive, agencies have until midnight on Monday Jan. 22 to complete mitigation measures specified by the manufacturer and take any compromised appliances out of service.

According to a blog post from security firm Volexity, more than 2,100 systems have been infected. The use of the zero day bugs is being attributed by Volexity to a threat group linked to the People's Republic of China. Goldstein said CISA isn't attributing hacks associated with the vulnerabilities to any threat actor but noted that groups with PRC links have been active in leveraging exploits that target edge devices.

In a statement, CISA Director Jen Easterly asked private firms to take note of the urgency of the agency's directive. 

“Even as federal agencies take urgent action in response to this directive, we know that these risks extend to every organization and sector using these products. We strongly urge all organizations to adopt the actions outlined in this directive," Easterly said.