U.S. government investigating potential agency hacks exploiting Ivanti software flaws
The Cybersecurity and Infrastructure Security Agency confirmed Friday it's investigating potential hacks of some government agencies through recently discovered, high-severity flaws in some Ivanti products.
Why it matters: Nation-state hackers, including a group tied to the Chinese government, are believed to be targeting the flaws discovered last week in some of Ivanti's popular remote access tools.
- Ivanti has yet to release a fix for the flaws, but has released guidance that can keep hackers from exploiting them.
Driving the news: CISA issued an emergency directive on Friday calling on all civilian agencies to mitigate the flaws in Ivanti's Connect Secure VPN devices (formerly known as Pulse Secure) and its Policy Secure tools by end-of-day Monday.
- Agencies using Ivanti's products are also required to run their tools through Ivanti's external integrity checker tool to ensure hackers aren't still lingering in their networks after running any mitigation guidance.
- Eric Goldstein, executive assistant director for cybersecurity at CISA, told reporters that the federal government is investigating "some initial targeting of federal agencies as part of the broader opportunistic campaign."
- He added that it's too soon to say yet if any agency was successfully compromised.
What they're saying: "This is a rapidly evolving situation," Goldstein said during a press call. "The situation here is evolving by the hour."
Catch up quick: Ivanti confirmed last week that hackers are actively exploiting critical vulnerabilities in two of its products — confirming earlier reports from third-party security researchers.
- If successfully exploited, hackers could use these flaws to bypass user authentication protocols and remotely navigate themselves around a victim's network — allowing them to steal configuration data, login credentials and more.
- Ivanti has more than 40,000 total customers, and hackers are believed to have been targeting these flaws for at least a month before Ivanti discovered them.
Details: Roughly 15 government agencies were using affected Ivanti products, Goldstein told reporters on Friday, but each of those offices have already applied Ivanti's mitigation guidance.
- CISA declined to say which specific agencies are affected and where the potential intrusions were uncovered.
- Around 1,700 companies globally using Ivanti's products are said to have been targeted already, according to a report from cybersecurity firm Volexity.
- "At this point, we are assessing that the potential exposure on the federal civilian government is limited," Goldstein said. "We are not assessing a significant threat to the federal enterprise, but we know that that risk is not zero."
The intrigue: Goldstein added that CISA expects a wide array of hacking groups to start exploiting flaws in Ivanti's products — although industry reports have only uncovered evidence of Chinese group involvement so far.
- Meanwhile, the federal government hasn't seen any evidence yet that China state-sponsored hacks are a part of the campaign.
- "We know that edge devices like these Ivanti products are the favorite types of devices to be targeted because a) they are internet-facing and b) they allow a significant level of privilege to access a target network," Goldstein said.
The big picture: Ivanti's so-called zero-day vulnerabilities are just the latest in recent months to plague enterprise software.
What we're watching: New details are anticipated to come out in the coming weeks as researchers and government investigators glean new details about who was running the software, who was hacked and what data was stolen.