Alert Issued by CISA: Suspected Data Theft Targeting Chemical Facilities

Alert Issued by CISA: Suspected Data Theft Targeting Chemical Facilities

CISA Suffers Data Breach Due to Exploited Ivanti VPN Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that a data breach in January was linked to the exploitation of zero-day vulnerabilities in Ivanti remote access VPNs. The vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, were part of a broader active exploitation campaign against Ivanti Connect Secure VPN appliances, affecting multiple organizations including U.S. government entities.

The attackers, who gained access to CISA's systems via these vulnerabilities, deployed malicious web shells to maintain persistence and enable remote command execution. They also used tools like Behinder, neo-reGeorg, and custom malware such as GOREVERSE and a Golang-based tunneling tool called GOHEAVY to move laterally within compromised networks while avoiding detection.

Installing advanced malware including kernel-mode rootkits and modifying system scripts were among the actions taken by the attackers. This enabled them to conduct reconnaissance, escalate privileges, and move laterally throughout targeted networks, as part of coordinated attacks also seen in similar breaches targeting critical infrastructure and governmental entities internationally.

Kelly Murray, associate director at CISA, stated that CISA maintained several layers of defense and separation between the exploited Ivanti device and potentially sensitive data, but it cannot rule out unauthorized access was achieved. CISA, which is no longer using the affected Ivanti products, declined to say what actions the attacker took when they accessed the webshell.

The attackers installed an advanced webshell on CISA's exploited CSAT Ivanti Connect Secure device on January 23. The intrusion on CISA's Chemical Security Assessment Tool (CSAT) occurred from January 23-26, and during this period, top-screen surveys, security vulnerability assessments, site security plans, personnel surety program submissions, and CSAT user accounts may have been potentially accessed.

CISA blocked industry access to the CSAT system in July when Congress declined to reauthorize the Chemical Facility Anti-Terrorism Standards program. The system was completely taken offline when the agency discovered the intrusion in January and will remain offline until the program is reauthorized.

In response to the breach, CISA sent notifications to all potentially impacted organizations due to the breach meeting the threshold of a major incident involving unauthorized access to personally identifiable information of at least 100,000 people under the Federal Information Security Management Act of 2002. Ivanti released a security patch for these vulnerabilities on January 31, but it was too late for CISA.

This aligns with reported patterns of Chinese-linked threat groups using these zero-days to compromise high-value targets through Ivanti VPN appliance vulnerabilities. The attackers' use of web shells, kernel rootkits, and various backdoors to maintain access, execute arbitrary commands, and carry out lateral movements within the network underscores the need for organisations to keep their systems updated and secure.

1. The data breach at the Cybersecurity and Infrastructure Security Agency (CISA) was traced back to exploited zero-day vulnerabilities in Ivanti remote access VPNs, which are commonly used in various industries such as finance, energy, aerospace, and more.
2. The vulnerabilities, CVE-2023-46805 and CVE-2024-21887, were part of a broader active exploitation campaign, targeting Ivanti Connect Secure VPN appliances in multiple organizations, including government entities.
3. The attackers, using tools like Behinder, neo-reGeorg, GOREVERSE, GOHEAVY, and custom malware, moved laterally within compromised networks and conducted reconnaissance, escalated privileges, and performed other malicious activities.
4. Following the breach, CISA sent notifications to potentially impacted organizations, recognizing the incident as a major one involving the unauthorized access of at least 100,000 people's personally identifiable information, as per the Federal Information Security Management Act of 2002.

Read also: