Headline
Threat Actor May Have Accessed Sensitive Info on CISA Chemical App
An unknown adversary compromised a CISA app containing the data via a vulnerability in the Ivanti Connect Secure appliance this January.
Source: SeventyFour via Shutterstock
An unknown threat actor may have accessed critical information on US chemical facilities by compromising the US Cybersecurity and Infrastructure Security Agency’s (CISA) Chemical Security Assessment Tool (CSAT) earlier this year, by way of known Ivanti flaws.
Data the adversary may have accessed includes the types and quantities of chemicals stored at different facilities, facility-specific security vulnerability assessments, site security plans, and personnel identity information of individuals who might have sought access to restricted areas at high-risk facilities.
Anti-Terror Related Data
CISA required chemical facilities around the country to provide this information as part of the Department of Homeland Security’s Chemical Facility Anti-Terrorism Standards (CFATS) program to enhance security at high-risk chemical facilities in the US. CFATS expired in July 2023.
According to CISA, a threat actor may have accessed data in its CSAT application after chaining together several zero-day vulnerabilities Ivanti disclosed earlier this year in its Connect Secure appliance. In a notification letter to stakeholders, DHS associate director Kelly Murray said the intrusion happened during a two-day period, sometime between Jan. 23 and Jan. 26, 2024.
After gaining access to the Ivanti appliance, the threat actor deployed a web shell on it that enabled remote command execution and arbitrary file writes to the underlying system, Murray said. The attacker accessed the web shell several times during the two-day period but there is no evidence of any data exfiltration or lateral movement beyond the Ivanti device, she said.
“While CISA’s investigation found no evidence of exfiltration of data, this may have resulted in the potential unauthorized access of Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program submissions, and CSAT user accounts,” Murray said. “All information in CSAT was encrypted using AES 256 encryption and information from each application had additional security controls limiting the likelihood of lateral access,” she noted.
Even so, David Brumley, CEO of ForAllSecure, says the CVEs that CISA pointed to in its advisory would allow an attacker to go from a remote and unprivileged status over the network to having full access. And at least one of the vulnerabilities already has a public exploit, Brumley says.
“CISA is saying for users to rotate their passwords, but I’m sure internally they’re doing an internal investigation as well,” he notes. “The vulnerabilities listed would have given attackers access to key parts of the network potentially.”
Brumley says its somewhat ironic that the very entity that notified other organizations about these vulnerabilities became a victim itself.
"If CISA can’t patch fast enough, what does that say about the rest of us?", Brumley says. “We need to be investing in quicker turnarounds from time-of-vulnerability-disclosure to having all systems patched.”
Potential Safety Implications
Howard Goodman, technical director at Skybox Security, says the breach has potential security implications given the nature of the CSAT tool and the sensitive data it contains. “The exposure of chemical inventories and security plans could potentially be exploited by malicious actors to target facilities, posing risks to public safety and the environment,” Goodman says.
Affected organizations should conduct a thorough review of their existing cybersecurity measures and, if needed, update them. They should also consider enhancing physical and cybersecurity measures, especially in areas identified in their CSAT submission. In addition, they should “increase monitoring and threat detection capabilities to identify any suspicious activities that may indicate targeted attacks,” Goodman says. “Engage in information sharing with industry peers and relevant government agencies to stay informed about potential threats and best practices.”
Ivanti Zero-Days
The DHS breach notification did not identify the specific Ivanti vulnerability or vulnerabilities that the threat actor exploited to gain access to the CSAT application. However, it directed stakeholders to a CISA advisory on Feb. 29, 2024, that warned about exploit activity targeting three vulnerabilities in Ivanti Connect and Policy Secure Gateways: CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. The flaws affect all supported versions of Ivanti Connect Secure and Ivanti Policy Secure gateways. Attackers can exploit the vulnerabilities in a chained fashion to bypass authentication mechanisms, craft malicious requests, and execute arbitrary commands with admin level privileges on affected systems.
The flaws were among several critical vulnerabilities Ivanti disclosed earlier this year, prompting a complete overhaul of its security practices.
In an emailed comment, Roger Grimes, data-driven defense evangelist at KnowBe4, expressed some dissatisfaction with CISA’s decision not to mention whether the agency had patched the flaws.
“If they were exploited by a known vulnerability where a patch was available…why wasn’t the patch installed?” Grimes said. “Was it simply due to the fact that the exploit happened faster than the patch could be applied [or] was the patch missed?”
CISA itself has recommended that all affected chemical facilities maintain their current cybersecurity and physical security postures and address vulnerabilities as they would normally.
“While the investigation found no evidence of credentials being stolen,” CISA added, “CISA encourages individuals who had CSAT accounts to reset the passwords for any account, business or personal, which used the same password.”
About the Author(s)
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master’s degree in Statistics and lives in Naperville, Ill.
Related news
Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in TTPs, along with several notable differences and outliers.
By Deeba Ahmed Patch Now! One-Day Vulnerabilities Exploited by Magnet Goblin to Deliver Linux Malware! This is a post from HackRead.com Read the original post: Magnet Goblin Hackers Using Ivanti Flaws to Deploy Linux Malware
By Deeba Ahmed Patch Now! One-Day Vulnerabilities Exploited by Magnet Goblin to Deliver Linux Malware! This is a post from HackRead.com Read the original post: Magnet Goblin Hackers Using Ivanti Flaws to Deploy Linux Malware
By Deeba Ahmed Patch Now! One-Day Vulnerabilities Exploited by Magnet Goblin to Deliver Linux Malware! This is a post from HackRead.com Read the original post: Magnet Goblin Hackers Using Ivanti Flaws to Deploy Linux Malware
Hello everyone! In this episode, I will talk about the February updates of my open source projects, also about projects at my main job at Positive Technologies and interesting vulnerabilities. Alternative video link (for Russia): https://vk.com/video-149273431_456239140 Let’s start with my open source projects. Vulremi A simple vulnerability remediation utility, Vulremi, now has a logo and […]
Hello everyone! In this episode, I will talk about the February updates of my open source projects, also about projects at my main job at Positive Technologies and interesting vulnerabilities. Alternative video link (for Russia): https://vk.com/video-149273431_456239140 Let’s start with my open source projects. Vulremi A simple vulnerability remediation utility, Vulremi, now has a logo and […]
Hello everyone! In this episode, I will talk about the February updates of my open source projects, also about projects at my main job at Positive Technologies and interesting vulnerabilities. Alternative video link (for Russia): https://vk.com/video-149273431_456239140 Let’s start with my open source projects. Vulremi A simple vulnerability remediation utility, Vulremi, now has a logo and […]
Plus: Mozilla patches 12 flaws in Firefox, Zoom fixes seven vulnerabilities, and more critical updates from February.
Plus: Mozilla patches 12 flaws in Firefox, Zoom fixes seven vulnerabilities, and more critical updates from February.
Plus: Mozilla patches 12 flaws in Firefox, Zoom fixes seven vulnerabilities, and more critical updates from February.
This Metasploit module chains a server side request forgery (SSRF) vulnerability (CVE-2024-21893) and a command injection vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x are vulnerable, prior to the vendor patch released on Feb 1, 2024. It is unknown if unsupported versions 8.x and below are also vulnerable.
By Deeba Ahmed Ivanti has released patches for vulnerabilities found in its enterprise VPN appliances, including two flagged as exploited zero-days… This is a post from HackRead.com Read the original post: Ivanti VPN Flaws Exploited by DSLog Backdoor and Crypto Miners
Ivanti has alerted customers of yet another high-severity security flaw in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication. The issue, tracked as CVE-2024-22024, is rated 8.3 out of 10 on the CVSS scoring system. "An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti
By Deeba Ahmed Zero-Day Nightmare: CVE-2024-21893 Exploits Surge in Attacks on Ivanti Products. This is a post from HackRead.com Read the original post: Chained Exploits, Stolen VPN Access: Hackers Target Ivanti Users Despite Patches
By Deeba Ahmed Zero-Day Nightmare: CVE-2024-21893 Exploits Surge in Attacks on Ivanti Products. This is a post from HackRead.com Read the original post: Chained Exploits, Stolen VPN Access: Hackers Target Ivanti Users Despite Patches
By Deeba Ahmed Zero-Day Nightmare: CVE-2024-21893 Exploits Surge in Attacks on Ivanti Products. This is a post from HackRead.com Read the original post: Chained Exploits, Stolen VPN Access: Hackers Target Ivanti Users Despite Patches
A recently disclosed server-side request forgery (SSRF) vulnerability impacting Ivanti Connect Secure and Policy Secure products has come under mass exploitation. The Shadowserver Foundation said it observed exploitation attempts originating from more than 170 unique IP addresses that aim to establish a reverse shell, among others. The attacks exploit CVE-2024-21893 (CVSS
A recently disclosed server-side request forgery (SSRF) vulnerability impacting Ivanti Connect Secure and Policy Secure products has come under mass exploitation. The Shadowserver Foundation said it observed exploitation attempts originating from more than 170 unique IP addresses that aim to establish a reverse shell, among others. The attacks exploit CVE-2024-21893 (CVSS
A recently disclosed server-side request forgery (SSRF) vulnerability impacting Ivanti Connect Secure and Policy Secure products has come under mass exploitation. The Shadowserver Foundation said it observed exploitation attempts originating from more than 170 unique IP addresses that aim to establish a reverse shell, among others. The attacks exploit CVE-2024-21893 (CVSS
CISA has ordered all FCEB agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products.
Ivanti is alerting of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild. The list of vulnerabilities is as follows - CVE-2024-21888 (CVSS score: 8.8) - A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows
Ivanti is alerting of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild. The list of vulnerabilities is as follows - CVE-2024-21888 (CVSS score: 8.8) - A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows
Ivanti is alerting of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild. The list of vulnerabilities is as follows - CVE-2024-21888 (CVSS score: 8.8) - A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows
A pair of recently disclosed zero-day flaws in Ivanti Connect Secure (ICS) virtual private network (VPN) devices have been exploited to deliver a Rust-based payload called KrustyLoader that's used to drop the open-source Sliver adversary simulation tool. The security vulnerabilities, tracked as CVE-2023-46805 (CVSS score: 8.2) and CVE-2024-21887 (CVSS score: 9.1), could be abused
A pair of recently disclosed zero-day flaws in Ivanti Connect Secure (ICS) virtual private network (VPN) devices have been exploited to deliver a Rust-based payload called KrustyLoader that's used to drop the open-source Sliver adversary simulation tool. The security vulnerabilities, tracked as CVE-2023-46805 (CVSS score: 8.2) and CVE-2024-21887 (CVSS score: 9.1), could be abused
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued an emergency directive urging Federal Civilian Executive Branch (FCEB) agencies to implement mitigations against two actively exploited zero-day flaws in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products. The development came after the vulnerabilities – an authentication bypass
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued an emergency directive urging Federal Civilian Executive Branch (FCEB) agencies to implement mitigations against two actively exploited zero-day flaws in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products. The development came after the vulnerabilities – an authentication bypass
There are many examples of WiFi-enabled home cameras, assistants and doorbells vulnerable to a wide range of security issues.
There are many examples of WiFi-enabled home cameras, assistants and doorbells vulnerable to a wide range of security issues.
Several international security agencies are echoing a warning by Ivanti about actively exploited vulnerabilities in its VPN solution.
Several international security agencies are echoing a warning by Ivanti about actively exploited vulnerabilities in its VPN solution.