The US Cybersecurity and Infrastructure Security Agency (CISA) revealed that the March security breach linked to vulnerable Ivanti products potentially compromised the data of more than 100,000 individuals, CyberScoop reported.
The breach, which dates back to January and is deemed to be a “major incident,” targeted CISA's Chemical Security Assessment Tool (CSAT) and the CISA Gateway, both integral systems for securing critical infrastructure. Although the breach did not result in any operational impact, CISA was forced to take the affected systems offline as a precautionary measure.
According to a CISA official, hackers exploited a vulnerability in Ivanti products to gain unauthorized access to the CSAT and CISA Gateway systems. While there is no evidence to suggest data theft, the breach compromised the integrity of the CSAT tool, necessitating disclosures to Congress.
According to Brandon Wales, CISA’s executive director, the investigation of the incident revealed that the attackers deployed a webshell against the CSAT tool and that there was “a loss of control in the system.” At the same time, the breach of the gateway was “quite limited,” and hackers did not deploy a webshell.
Although the agency implemented the vendor-recommended fixes on January 11 and ran daily checks using a tool Ivanti created to determine whether the device was compromised, the threat actors managed to circumvent the Ivanti mitigations and the Ivanti “integrity checker.” The attackers had access to CISA’s systems for two days, Wales said.
CISA is currently working on technological improvements to bolster the security of its systems, and is keeping the CSAT offline until enhancements are completed, according to Wales.