CISA targeted through Ivanti VPN vulnerabilities, reports say

JuSun/Getty Images

The DHS agency has been issuing warnings about Ivanti products since at least 2020.

The Cybersecurity and Infrastructure Security Agency was targeted in a hack last month that forced the agency to take two key systems offline, according to media reports late last week.

CISA, the top civilian cybersecurity agency in the Department of Homeland Security, said the exposures were linked to Ivanti virtual private network products that the agency has warned about multiple times in advisories since at least 2020. There was no operational impact to CISA and the systems ran on technology that was soon planned for replacement, according to the reporting.

The compromised systems included CISA’s Infrastructure Protection Gateway, where DHS partners can access infrastructure protection tools, and the Chemical Security Assessment Tool that provides private sector chemical security information, according to The Record and CNN.

“We welcome findings from our security and government partners that enable our customers to protect themselves in the face of this evolving and highly sophisticated threat,” an Ivanti spokesperson told Nextgov/FCW

The agency on Feb. 29 issued another alert about Ivanti vulnerabilities alongside multiple overseas intelligence partners, warning that hackers could circumvent monitoring systems that tell users if their products are compromised. The company said that advisory “does not contain information on a new vulnerability, and Ivanti and our partners are not aware of any instances of successful threat actor persistence following implementation of the security updates and factory resets recommended by Ivanti.”

“This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience,” a CISA spokesperson told the media outlets.

At the start of February, CISA directed all federal agencies to disconnect their systems from Ivanti products within 24 hours amid concerns that hackers could make their way into government networks.

Cybercriminals have been using the exposures for targeted attacks over a significant period of time, said Mike Sikorski, the Unit 42 threat intelligence lead at Palo Alto Networks, speaking on a March 11 Cyber Threat Alliance webinar. China-linked operatives and others tend to jump on those opportunities, he added.

CISA did not specify any hacking group or entity attributed to the incident but has previously linked China-backed collectives to past exploitations in Ivanti offerings. Private sector researchers have also doubled down on Chinese attribution to many of the hacks targeting Ivanti setups.