CISA warns that at midnight, government systems will become an easy target for hackers.
The US Cybersecurity and Infrastructure Protection Agency (CISA) has demanded that all federal agencies urgently disable Ivanti Connect Secure and Ivanti Policy Secure devices due to three zero-day vulnerabilities actively exploited by hackers in these products.
The first two issues, CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection), have been exploited by attackers since December for massive attacks on Ivanti devices around the world.
Ivanti also warned of a third zero — day vulnerability, CVE-2024-21893. It also allows you to bypass authentication on vulnerable Ivanti Connect Secure and Ivanti Policy Secure gateways.
On Wednesday, security updates were released for some versions of the software affected by these threats. Ivanti also provided mitigation instructions for devices that can't be protected right now.
The deadline for disabling devices is set at midnight on Friday, February 2. Then agencies should continue to search for signs of compromise. They should also monitor authentication and access control services, isolate corporate systems, and check privileged accounts.
Before connecting Ivanti devices back to the network, organizations need to perform a number of security measures: export the current configurations, reset the devices to factory settings, install the latest updates from the manufacturer, re-import previously saved configurations, and revoke all potentially compromised certificates, keys, and access passwords.
According to Shodan, more than 22,000 Ivanti devices are now available online. Shadowserver company registers hundreds of cases of their hacking around the world every day.
Experts fear that hackers may have secretly controlled some US government networks for weeks or even months, and this calls into question the security of sensitive data of national importance.
"This additional directive remains in effect until the CISA Agency confirms that all agencies using the vulnerable Ivanti software have fully met all the necessary requirements under the directive. The directive can also be revoked in another appropriate way," the CISA said.
The US Cybersecurity and Infrastructure Protection Agency (CISA) has demanded that all federal agencies urgently disable Ivanti Connect Secure and Ivanti Policy Secure devices due to three zero-day vulnerabilities actively exploited by hackers in these products.
The first two issues, CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection), have been exploited by attackers since December for massive attacks on Ivanti devices around the world.
Ivanti also warned of a third zero — day vulnerability, CVE-2024-21893. It also allows you to bypass authentication on vulnerable Ivanti Connect Secure and Ivanti Policy Secure gateways.
On Wednesday, security updates were released for some versions of the software affected by these threats. Ivanti also provided mitigation instructions for devices that can't be protected right now.
The deadline for disabling devices is set at midnight on Friday, February 2. Then agencies should continue to search for signs of compromise. They should also monitor authentication and access control services, isolate corporate systems, and check privileged accounts.
Before connecting Ivanti devices back to the network, organizations need to perform a number of security measures: export the current configurations, reset the devices to factory settings, install the latest updates from the manufacturer, re-import previously saved configurations, and revoke all potentially compromised certificates, keys, and access passwords.
According to Shodan, more than 22,000 Ivanti devices are now available online. Shadowserver company registers hundreds of cases of their hacking around the world every day.
Experts fear that hackers may have secretly controlled some US government networks for weeks or even months, and this calls into question the security of sensitive data of national importance.
"This additional directive remains in effect until the CISA Agency confirms that all agencies using the vulnerable Ivanti software have fully met all the necessary requirements under the directive. The directive can also be revoked in another appropriate way," the CISA said.
