Chemical facilities in the US using the Cybersecurity and Infrastructure Security Agency's (CISA) 'Chemical Security Assessment Tool' could be at risk thanks to a data breach that allegedly occurred in January 2024 .
Attackers may have been able to access sensitive and confidential material related to facility security assessments after abusing an Ivanti device to drop a webshell.
CSAT is supposed to help facilities stay on top of risk assessments by providing a security vulnerability assessment (SVA) and site security plan (SSP) if they are determined to be high-risk facilities that could be target of terrorists.
Exploited for months
Systems were taken offline as early as March 2024 in relation to an Ivanti device belonging to CISA that was exploited by attackers and reported by The Record, with two systems taken offline for an investigation.
CISA has now confirmed that a threat actor installed a webshell on the Ivanti Connect Secure device to maintain access, which the attacker then exploited multiple times over two days. The attacker abused three vulnerabilities tracked as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893.
In the breach notification, CISA said: “CISA is notifying all affected participants in the CFATS program out of an abundance of caution that this information may have been accessed inappropriately. Even without evidence of data exfiltration, the number of potential individuals and organizations whose data was potentially at risk met the threshold for a major incident under the Federal Information Security Modernization Act (FISMA).”
Using the exploited Ivanti device, the attacker could have accessed highly sensitive information such as site security plans, security vulnerability assessments, CSAT user accounts, and submissions made to the staff assurance program.
Andrew Lintell, EMEA CEO of Claroty, said: “The chemicals sector has all the ingredients for a recipe for destruction. In a time of rising global tensions and nation-state-backed attacks, the leak of information about facilities containing dangerous chemicals could be a real problem. “We have seen in the past that nation-states attempted to cause explosions at petrochemical plants that could have had disastrous consequences.”
“The leak of site security plans (SSP) could be the golden ticket for cybercriminals who want to infiltrate these facilities. As IT and OT networks converge, the potential to cause damage has increased significantly. “It is vital that chemical sector organizations implement network segmentation to prevent lateral movement across cyber-physical systems and restrict any unnecessary connectivity,” Lintell concluded.
Through beepcomputer
