CISA takedown of Ivanti systems is a wake-up call

In the wake of the attack on Ivanti’s VPN software, which prompted decisive action from the Cybersecurity and Infrastructure Security Agency (CISA), what can we learn? This incident raises new questions about exploit techniques, organizational response to security breaches, and the skyrocketing cost of downtime.

First, let’s break down what happened. From what’s been disclosed, the vulnerabilities in Ivanti’s system, particularly its VPN gateway, enabled threat actors to bypass authentication and gain unauthorized access. By sending maliciously crafted packets to the VPN gateway, attackers had a free pass to infiltrate the system without needing to steal credentials. Once inside, they could export user credentials — including domain administrator credentials.

Attackers also exploited a second vulnerability to inject malicious code into the Ivanti appliance, allowing them access to the VPN persistently (e.g., maintaining malicious control despite reboot or patch). Mandiant and Dark Reading reporting indicated Ivanti’s initial stopgap mitigations were insufficient to prevent bypass: “Mandiant researchers flagged activity that uses a bypass for Ivanti’s initial stopgap mitigation technique.”

CISA warned that “the Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets.” This suggests there was a time period during which attackers could and possibly did maintain persistence even following Ivanti’s suggested mitigations (though Ivanti notes that there are no on-the-record incidents of this happening). In any event, it is clear that, as the incident was unfolding in real-time, there was a serious risk that attackers had achieved persistent access and uncertainty as to whether proposed mitigations were sufficient to defeat it. This is why CISA had to act quickly, and it did.

An attacker’s persistent access to a VPN gateway is especially dangerous because the attacker can now move laterally within the VPN, using the gateway’s trusted position to gain access to critical credentials and data. The bottom line: An attack compromising the VPN is bad, but here, the attack enabled the takeover of stored privileged administrative account credentials, which is much worse.

In response, CISA intervened to let organizations know they should assume the theft of critical credentials given the nature of the breach. The bigger concern was Ivanti’s apparent failure to detect the compromise, leaving attackers free to operate within a trusted zone, bypassing zero-trust principles, and posing heightened risks to sensitive data.

Prompted by the severity of the vulnerabilities and potential for widespread exploitation, CISA took further action by taking two of Ivanti’s systems offline. This is an unusual safeguard that was made after careful assessment of the damage and risk.

To read the complete article, visit Dark Reading.