In an urgent response to the detection of significant vulnerabilities in Ivanti Connect Secure VPN devices and Ivanti Policy Secure tools, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on Friday. The directive calls for immediate action from federal agencies to mitigate these vulnerabilities and demands the removal of affected products from agency networks. The agency also wants any signs of compromise to be reported to CISA immediately.

Detecting the Threat

The urgency of the directive stems from active exploitation of the Ivanti products, which the agency considers to pose an unacceptable risk due to potential lateral movement, data exfiltration, and the establishment of persistent system access by threat actors. Successful exploitation could result in complete system compromise. Ivanti has provided temporary mitigation guidance and is developing patches, urging immediate action to protect against future exploitation.

The Implications

This directive follows recent discoveries by cybersecurity firm Volexity, which identified active exploitation of two vulnerabilities in Ivanti Connect Secure VPN by a suspected Chinese nation-state-level threat actor. Volexity's investigation revealed the attacker's ability to execute arbitrary commands, steal sensitive data, and gain extensive access to internal systems via the Ivanti VPN appliance.

Next Steps for Agencies

Federal agencies are now faced with the task of urgently mitigating these zero-day flaws, removing compromised products from their networks, and reporting their actions to CISA within a week. The severity scores for these vulnerabilities are 8.2 and 9.1 out of 10.0, and they impact all supported versions of Connect Secure and Ivanti’s Policy Secure gateway. The directive sets strict deadlines for agencies to apply available mitigations, search for infections, and share indicators of compromise.

The implications of this directive and the vulnerabilities found in Ivanti's products are far-reaching, with victims ranging from small businesses to Fortune 500 companies. The attacks are believed to be carried out by a nation-state threat actor tracked as UTA0178, working on behalf of China’s government. The situation is rapidly evolving, with new details about the hacks and data stolen anticipated to come out in the coming weeks.