Share this article on:
Ivanti vulnerabilities were used to access two CISA systems, but the identity of the hacker remains unknown.
The US Cybersecurity and Infrastructure Security Agency (CISA) has revealed it has fallen victim to an unidentified hacker, warning that two of its systems were compromised some time in February.
According to CISA, the hackers took advantage of known vulnerabilities in a pair of Ivanti products: Ivanti Connect Secure and Ivanti Policy Secure, both network gateways.
Ironically, CISA had released an advisory on the vulnerabilities – which includes CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893 – while Ivanti itself had warned of active exploitation of the flaws, particularly by hackers backed by China.
However, despite Ivanti patching two of the flaws in late January and releasing an Integrity Checker Tool, CISA remained on the alert. The agency actively questioned the efficacy of the tool in a separate advisory.
“During multiple incident response engagements associated with this activity, CISA identified that Ivanti’s internal and previous external ICT failed to detect compromise,” the advisory said. “In addition, CISA has conducted independent research in a lab environment validating that the Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets.”
Ivanti hit back, saying in its own blog post that it had seen no evidence of activity matching CISA’s description in the wild.
That was on 27 February, and The Record reported on CISA’s hack on 9 March, the first such report of the incident.
CISA said in a widely reported comment that the incident was a warning that anyone can fall victim to hacking.
“About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses. The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernise our systems, and there is no operational impact at this time,” CISA said.
“This is a reminder that any organisation can be affected by a cyber vulnerability, and having an incident response plan in place is a necessary component of resilience. We strongly urge all organisations to review our latest Ivanti advisory and take the steps outlined in it to protect their systems.”
CISA has not commented on the identity of the hackers.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.