One of the organizations compromised through a recently discovered flaw in Ivanti products was, ironically, the US government's Cybersecurity and Infrastructure Security Agency (CISA).
Confirmation of the breach came from CISA itself, as well as from an anonymous source “with knowledge of the situation,” and a CISA spokesperson told The Record that the organization “identified activity that indicates exploitation of vulnerabilities in the Ivanti products that the agency uses.
“The impact was limited to two systems, which we immediately disconnected. “We continue to update and modernize our systems and there is no operational impact at this time,” the spokesperson said. As they did not share further details, the publication spoke to an anonymous source familiar with the matter, who stated that the systems breached and subsequently shut down included the Infrastructure Protection (IP) Gateway and the Chemical Security Assessment Tool (CSAT). .
Ivanti's problems in 2024
The first has “critical information” about the interdependence of American infrastructure, while the second has “private sector chemical safety plans.” CSAT holds “some of the most sensitive industrial information in the country,” the publication further stated, saying it includes the Top Screen tool for high-risk chemical facilities, site security plans and security vulnerability assessment.
Unfortunately, we do not know if this was a ransomware attack and if the attackers actually stole any of the sensitive data supposedly stored on these endpoints. Additionally, the identity of the attacks is also unknown, but if it was ransomware, it was most likely LockBit, BlackCat (ALPHV), or Cl0p.
News of security flaws in Ivanti products first emerged in early January 2024, when the company announced that it would address a critical vulnerability in its endpoint management (EPM) software, allowing remote code execution ( RCE). In the following weeks, Ivanti found a handful of additional flaws, which were later discovered to be being abused en masse by different threat actors looking to deploy various malware and information stealers.