Ivanti integrity checker tool needs latest update to work, Five Eyes alert warns
Over the past two months, U.S. cybersecurity officials have ordered federal agencies to either patch or disconnect two gateways made by the firm Ivanti amid reports that they have been targeted by Chinese hacking operations. Now, in a fresh advisory released Thursday, authorities say that hackers are able to bypass Ivanti’s integrity checker tool that should have been able to detect compromises.
Multiple vulnerabilities in Ivanti Connect Secure or Policy Secure devices first gained widespread attention in early January after the Cybersecurity and Infrastructure Security Agency issued an emergency directive for federal agencies to patch their systems against the exploit. Weeks later, on Feb. 1, CISA issued a rare order that directed federal agencies to remove any Ivanti Connect Secure or Policy Secure products from their networks within days. Federal agencies were allowed to bring Ivanti products back to service after following guidance to secure the software.
At the time, Volexity found that the external integrity checker tool from Ivanti could be compromised by hackers. On Thursday, CISA, the FBI, the Multi-State Information Sharing and Analysis Center and cybersecurity agencies for the intelligence alliance known as the Five Eyes issued a joint alert warning that the internal and external integrity checker tool is no longer trustworthy and urged organizations to run the most recent version of the external checker released on Feb. 27. Thursday’s alert does not contain any new vulnerabilities.
“During multiple incident response engagements associated with this activity, CISA identified that Ivanti’s internal and previous external ICT failed to detect compromise. In addition, CISA has conducted independent research in a lab environment validating that the Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets,” CISA wrote in the alert.
Ivanti sharply disagreed with CISA’s assessment. “Based on current analysis, we believe that outside of a lab environment, this action would break the connection with the box, and thus would not gain persistence in a live customer environment,” a company spokesperson told CyberScoop in an email.
The spokesperson noted that the integrity checker tool is not a “magic bullet” and should be complemented by other tools. The tool provides a snapshot of the current state when the scan is made and cannot “necessarily detect threat actor activity if the appliance has been returned to a clean state,” the spokesperson said.
In the email, the spokesperson said that Ivanti and its partners “are not aware of any instances of successful threat actor persistence following implementation of the security updates and factory resets recommended by Ivanti.”
CISA did not immediately respond to questions about the alert. However, the joint alert presents a stark warning for organizations still using those products.
“The authoring organizations strongly urge all organizations to consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment,” the alert warns.
