CISA Warns Hacked Ivanti VPN Appliances Still a Risk

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations using previously compromised Ivanti VPN gateways, stating attackers can still maintain root persistence even after performing factory resets. 

This comes after the agency discovered Ivanti’s Integrity Checker Tool (ICT) failed to detect vulnerabilities in multiple hacking incidents involving hacked Ivanti appliances.

Ivanti VPN appliances get compromised

Earlier this week, CISA found bad actors employed previously identified exploits to compromise Ivanti’s VPN products, including CVE-2023-46805, CVE-2024-21887, CVE-2024-22024, and CVE-2024-21893. 

The cybersecurity agency also established attackers could still exploit these vulnerabilities to gain root-level persistence, even after a factory reset.

Even worse, further analysis showed that Ivanti’s ICT scans failed to detect multiple hacking events relating to its equipment. 

The attackers managed to hide their activities by manipulating timestamps, replacing files, and resetting system partitions, Bleeping Computer reports.

Accoridngly, CISA suggests organizations should not rely solely on factory resets to clean compromised devices, as suspicious activity might persist even after this process.

The threats “can be used in a chain of exploits to enable malicious cyber threat actors to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges” said the agency.

CISA issues cautionary measures

Ivanti responded to CISA’s advisory, stating that remote attackers attempting to gain root persistence on its appliances using the exploits CISA found would lose connection.

The company further assured customers that it’s actively monitoring emerging threats and commits to fixing vulnerabilities, including improving detection tools (ICT).

Regardless of assurances, CISA advises all Ivati customers to “consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment”.

The cautionary measure follows similar exploits that happened back in January. During that time, the cybersecurity agency advised federal government entities with compromised Ivanti products to assume all linked domain accounts were compromised. 

The agency further recommended disabling joined/registered devices hosted in the cloud. Additionally, it directed performing double password resets alongside switching Kerberos tickers and cloud tokens on hybrid setups.

Moving forward

Overall, CISA’s warning highlights the need for organizations to continuously be on high alert, implementing a layered approach to cybersecurity. 

This includes staying up-to-date with the latest security vulnerabilities, promptly applying patches and updates, and employing robust detection and response strategies.