US Government agencies using Ivanti Connect Secure and Ivanti Policy Secure have been told to disconnect these solutions immediately and not turn them back on until they’re absolutely certain they’ve been properly patched, and their networks disinfected from possible hacker incursions.
This stark warning was issued by the Cybersecurity and Infrastructure Security Agency (CISA), as part of its Emergency Directive 24-01.
According to this Supplemental Direction V1, after disconnecting the instances, federal agencies using these affected products must continue threat hunting, monitoring of authentication services, and isolation of affected systems. Furthermore, they are urged to audit privilege level access accounts, too.
Cleaning up the gear
It has been a somewhat hectic start to 2024 for Ivanti, which in early January announced discovering and patching two critical vulnerabilities in some of its products, which allowed threat actors to run arbitrary commands on flawed endpoints.
Releasing a security advisory at the time, Ivanti said the flaws were tracked as CVE-2023-46805, and CVE-2024-21887. The former is an authentication bypass, while the latter code injection.
Soon after the announcement, CISA warned federal agencies that the flaws were being abused in the wild and that they should apply workarounds, mitigations, and patches, immediately. The agency warned of a “sharp increase” in attacks after January 11, with threat actors targeting everyone, including government firms.
To be able to use Ivanti’s services again, agencies must follow specific steps, including exporting configuration settings, performing a factory reset, and upgrading to supported software versions. They also have until February 5 to report their actions and status to CISA.
There are more than 22,000 Ivanti ICS VPNs exposed online at the moment, BleepingComputer claims, with almost 400 Ivanti VPN devices also thought to be at risk.
Via BleepingComputer
