Any federal agency running Ivanti Connect Secure or Ivanti Policy Secure devices must disconnect them from their networks before midnight Friday, the United States’s top civilian cyber defense agency said Wednesday amid reports the vulnerable devices are being targeted by espionage operations linked to China.
Last month, CISA warned that the vulnerable Ivanti devices were subject to “widespread exploitation of vulnerabilities by multiple threat actors.” On Wednesday, the agency issued new instructions for how to update and bring those devices back online.
A CISA spokesperson did not immediately respond to a question about how many instances of Ivanti’s affected product are present in federal networks.
The CISA directive comes amid growing concern in Washington about Chinese cyberoperations. Separately on Wednesday, senior U.S. national security officials warned a Congressional panel that China’s aggressive cyber operations are not only aimed at gathering intelligence but also to preposition in critical civilian-focused U.S. networks in the event of military conflict.
Chinese hackers appear to be exploiting the Ivanti vulnerabilities to carry out espionage. Researchers with Google’s Mandiant wrote in a blog post Wednesday that they’d identified “broad exploitation activity” by suspected Chinese-linked espionage hackers they track as “UNC5221,” as well as other uncategorized attackers.
Cybersecurity experts said the CISA directive appeared aimed at definitively cutting off Ivanti devices as a way to target the U.S. government.
“I think what it largely boils down to is that CISA likely does not want to have ambiguity as to whether an Ivanti Connect Secure VPN appliance is compromised or not,” said Steven Adair, president of cybersecurity firm Volexity. “Given the multitude of vulnerabilities in the last month, the best way to go about that is to taken the systems offline, factory reset the device, start with a fresh build, and apply the latest patches.”
Ivanti has issued guidance on remediating issues with the devices based on the latest knowledge of how the attacks work. The company did not respond to a request for comment Thursday.
Last month — before CISA’s first directive regarding Ivanti devices — Adair and his team published research detailing what was then an “active in-the-wild exploitation” of two Ivanti vulnerabilities that made it “trivial for attackers to run commands on the system” and ultimately pivot to a handful of systems internally and gain “unfettered access to systems on the network.” That operation dates back to the second week of December 2023, according to the Volexity researchers.
“This is the first emergency directive issued by the Cybersecurity and Infrastructure Security Agency in almost two years, highlighting the criticality of the situation,” Glenn Thorpe, senior director of security research and detection engineering with Greynoise, told CyberScoop in an email Thursday.
Ron Bowes, Greynoise’s lead security researcher, added that Ivanti Connect Secure is designed to be internet-facing and to bridge the internet to a secure network, “which makes it a very good target.” Exploitation of one of the vulnerabilities — tracked as CVE-2024-21887 — is “quite simple,” Bowes said.
More than 85% of the known zero-day vulnerabilities exploited by Chinese state-sponsored hackers since 2021 were in public-facing appliances such as firewalls and VPN products, Recorded Future’s Insikt Group wrote in a November 2023 report.