The Cybersecurity and Infrastructure Security Agency issued an emergency directive Friday for federal agencies to patch their systems against an active zero-day exploit in a piece of virtual private network software.
The emergency directive concerns a series of vulnerabilities around Ivanti Connect Secure VPN and Policy Secure products that were publicly released by the Utah-based software company on Jan. 10. The emergency directive is the first of the year.
“At this point, we are investigating the potential targeting of agencies but have not confirmed any compromises,” Eric Goldstein, executive assistant director for cybersecurity at CISA, said during a media call Friday.
Goldstein said that CISA is aware of “15 agencies or so” that were using the vulnerable devices, but that those agencies quickly mitigated the bugs. Goldstein said that the campaign appears to be largely opportunistic.
“What we and industry have seen so far is actors deploying web shells, which, of course, are snippets of code that enable the actor to maintain some persistence on the device and use it later to do any number of activities,” Goldstein said.
Goldstein said that “immediately” following the disclosure by Ivanti, CISA began communicating with federal agencies, including holding multiple calls with security operation centers.
So far, the campaign has impacted at least 2,100 devices worldwide, according to the cybersecurity firm Volexity, which first saw the exploitation during the first week of December. Volexity attributed the initial campaign to an unknown Chinese nation-state group that is being tracked as UTA0178. However, since the initial exploitation many other threat groups have joined in, the firm noted.
CISA has not attributed any actor to the campaign and Goldstein said during the call that they have not seen any evidence of Beijing exploiting the vulnerabilities on federal agency networks. However, Chinese state hackers have previously targeted Ivanti products.
Additionally, the cybersecurity firm GreyNoise found that hackers were deploying cryptominers on vulnerable Ivanti devices.
Ivanti noted that they are “aware of less than 20 customers impacted by the vulnerabilities prior to public disclosure.” Additionally, the firm stated that they don’t have any evidence that this was a supply chain attack.
CISA said it has observed “widespread and active exploitation” of the Ivanti vulnerabilities which, if exploited together, could lead to a full compromise of networks. Federal executive civilian branch agencies — which make up the government departments and agencies that fall outside of military and intelligence — are expected to meet the deadline before Tuesday.
Ivanti released a temporary mitigation through a file that can be imported into the impacted software, but a permanent patch has yet to be issued. When that patch is issued, agencies are expected to follow additional directions from CISA, Goldstein said. The federal agencies are also required to run an external tool from Ivanti that checks for compromises, CISA noted. Volexity found that the internal tool from Ivanti was being modified in a way that it could not detect any compromise.
Last Friday, the cybersecurity firm Mandiant released a blog on the exploitation of the bugs, detailing the five malware strains that were used for espionage and to establish persistence. The Google-owned firm did not attribute the exploitation to any particular group or location, and is using the name “UNC5221” for the cluster of activity. However, the firm suspects that the campaign is a nation-state group that is motivated by espionage.
“UNC5221’s activity demonstrates that exploiting and living on the edge of networks remains a viable and attractive target for espionage actors,” the firm wrote. “As we have previously reported, the combination of zero-day exploitation, edge device compromise, use of compromised C2 infrastructure, and detection evasion methods such as writing code to legitimate files have become a hallmark of espionage actors’ toolboxes.”