CISA Orders Ivanti VPN Appliances Disconnected: What to Do

The United States Cybersecurity and Infrastructure Security Agency (CISA) has given Federal Civilian Executive Branch agencies 48 hours to rip out all Ivanti appliances in use on federal networks, over concerns that multiple threat actors are actively exploiting multiple security flaws in these systems. The order is part of the supplemental direction accompanying last week's emergency directive (ED 24-01).

Security researchers say Chinese state-backed cyberattackers known as UNC5221 have exploited at least two vulnerabilities both as zero-days and since disclosure in early January — an authentication bypass (CVE-2023-46895) and a command injection (CVE-2024-21887) flaw — in Ivanti Connect Secure. In addition, Ivanti said this week that a server-side request forgery (CVE-2024-21893) flaw has already been used in "targeted" attacks as a zero day, and it disclosed a privilege-escalation vulnerability in the Web component of Ivanti Connect Secure and Ivanti Policy Secure (CVE-2024-21888) that was not yet observed in attacks in the wild.

"Agencies running affected Ivanti Connect Secure or Ivanti Policy Secure products are required to immediately perform the following tasks: As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks," CISA wrote in its supplemental direction.

CISA's directive applies to the 102 agencies listed as "federal civilian executive branch agencies," a list which includes the Department of Homeland Security, Department of Energy, Department of State, Office of Personnel Management, and the Securities and Exchange Commission (but not the Department of Defense).

Private entities with Ivanti appliances in their environments are strongly recommended to prioritize taking these same steps to protect their networks from potential exploitation.

Ivanti VPN Cyber-Risk: Rip It All Out

The instruction to disconnect, not patch, the products with just roughly 48 hours notice "is unprecedented," noted cloud security researcher Scott Piper. Because Ivanti appliances bridge the organization's network to the broader Internet, compromising these boxes means attackers can potentially access domain accounts, cloud systems, and other connected resources. The recent warnings from Mandiant and Volexity that multiple threat actors are exploiting the flaws in mass numbers is likely why CISA is insisting on physically disconnecting the appliances right away.

CISA provided instructions on looking for indicators of compromise (IoCs), as well as how to reconnect everything to the networks after the appliances are rebuilt. CISA also said it will provide technical assistance to agencies without internal capabilities to carry out these actions.

Agencies are instructed to continue threat-hunting activities on systems that were connected to, or recently connected, to the appliances, as well as to isolate the systems from enterprise resources "to the greatest degree possible." They should also monitor any authentication or identity management services that could have been exposed and audit privilege-level access accounts.

How To Reconnect Appliances

The Ivanti appliances cannot just be reconnected to the network, but need to be rebuilt and upgraded to remove the vulnerabilities and anything attackers may have left behind.

"If exploitation has occurred, we believe it is likely that the threat actor has taken an export of your running configurations with the private certs loaded on the gateway at time of exploit, and left behind a Web shell file enabling backdoor future access," Ivanti wrote in a knowledgebase article explaining how to rebuild the appliance. "We believe the purpose of this Web shell is to provide a backdoor to the gateway after the vulnerability is mitigated, for this reason we are recommending customers revoke and replace certificates to prevent further exploitation after mitigation."

The assumption is that the appliances have been compromised, so the next step is to revoke and reissue all connected or exposed certificates, keys, and passwords. That includes resetting the admin enable password, stored API keys, and the password of any local user defined on the gateway, such as service accounts used for auth server configuration.

Agencies must report to CISA the status of these steps by Feb. 5, 11:59PM EST.

Assume Compromise

It is safer to assume that all services and domain accounts connected to the appliances have been compromised and to act accordingly, than trying to guess which systems may have been targeted. As such, agencies must reset passwords twice (double password reset) for on-premise accounts, revoke Kerberos tickets, and revoke tokens for cloud accounts. Cloud joined/registered devices needed to be disabled in order to revoke the device tokens.

Agencies are required to report their status across all the steps by March 1, 11:59PM EST.