Pierluigi Paganini March 09, 2024

Threat actors hacked the systems of the Cybersecurity and Infrastructure Security Agency (CISA) by exploiting Ivanti flaws.

The US Cybersecurity and Infrastructure Security Agency (CISA) agency was hacked in February, the Recorded Future News first reported. In response to the security breach, the agency had to shut down two crucial systems, as reported by a CISA spokesperson and US officials with knowledge of the incident, according to CNN.

One of the systems impacted by the incident is used to facilitate the sharing of cyber and physical security assessment tools among federal, state, and local officials. The second system was holding information related to the security assessment of chemical facilities.

Recorded Future News, citing a source with knowledge of the situation, reported that the hacked systems were the Infrastructure Protection (IP) Gateway and the Chemical Security Assessment Tool (CSAT).

The CSAT hosts sensitive industrial information, including the Top Screen tool for high-risk chemical facilities, Site Security Plans and the Security Vulnerability Assessments.

A CISA spokesperson told to Recorded Future News that the initial investigation conducted by the government experts revealed that the attackers exploited vulnerabilities in Ivanti products used by the agency.

“The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time,” the spokesperson said.

“This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience.”

Ironically, CISA warned US organizations about attacks exploiting vulnerabilities in Ivanti software. On February 1st, for the first time since its establishment, CISA ordered federal agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure products within 48 hours.

On February 29, CISA warned organizations again that threat actors are exploiting multiple vulnerabilities (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) in Ivanti Connect Secure and Policy Secure Gateways.

The agency did not provide details about the attack or attribute it to a specific threat actor.

A CISA spokesperson told CNN that the security breach did not impact the operations of the agency.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, Ivanti)