2 April 2024

Ivanti breach at CISA may have impacted over 100,000 people


Ivanti breach at CISA may have impacted over 100,000 people

The US Cybersecurity and Infrastructure Security Agency (CISA) revealed that the March security breach linked to vulnerable Ivanti products potentially compromised the data of more than 100,000 individuals, CyberScoop reported.

The breach, which dates back to January and is deemed to be a “major incident,” targeted CISA's Chemical Security Assessment Tool (CSAT) and the CISA Gateway, both integral systems for securing critical infrastructure. Although the breach did not result in any operational impact, CISA was forced to take the affected systems offline as a precautionary measure.

According to a CISA official, hackers exploited a vulnerability in Ivanti products to gain unauthorized access to the CSAT and CISA Gateway systems. While there is no evidence to suggest data theft, the breach compromised the integrity of the CSAT tool, necessitating disclosures to Congress.

According to Brandon Wales, CISA’s executive director, the investigation of the incident revealed that the attackers deployed a webshell against the CSAT tool and that there was “a loss of control in the system.” At the same time, the breach of the gateway was “quite limited,” and hackers did not deploy a webshell.

Although the agency implemented the vendor-recommended fixes on January 11 and ran daily checks using a tool Ivanti created to determine whether the device was compromised, the threat actors managed to circumvent the Ivanti mitigations and the Ivanti “integrity checker.” The attackers had access to CISA’s systems for two days, Wales said.

CISA is currently working on technological improvements to bolster the security of its systems, and is keeping the CSAT offline until enhancements are completed, according to Wales.


Back to the list

Latest Posts

Cyber Security Week in Review: May 24, 2024

Cyber Security Week in Review: May 24, 2024

In brief: Google fixes Chrome zero-day, a backdoor found in JAVS software, and more.
24 May 2024
Chinese APTs increasingly using ORB networks to mask attack infrastructure

Chinese APTs increasingly using ORB networks to mask attack infrastructure

Mandiant reports that it is actively monitoring several ORB networks, with the most notable being SPACEHOP and FLORAHOX.
23 May 2024
Threat actors exploit vulnerable drivers to disable EDRs in cryptojacking attack

Threat actors exploit vulnerable drivers to disable EDRs in cryptojacking attack

Ghostengine deploys several modules to tamper with security tools, establish a backdoor, and ensure software updates are in place.
22 May 2024