CISA confirmed that its CSAT environment was breached in January.

Pierluigi Paganini June 25, 2024

CISA warned chemical facilities that its Chemical Security Assessment Tool (CSAT) environment was compromised in January.

CISA warns chemical facilities that its Chemical Security Assessment Tool (CSAT) environment was breached in January.

In March, the Recorded Future News first reported that the US Cybersecurity and Infrastructure Security Agency (CISA) agency was hacked in February. In response to the security breach, the agency had to shut down two crucial systems, as reported by a CISA spokesperson and US officials with knowledge of the incident, according to CNN.

One of the systems impacted by the incident is used to facilitate the sharing of cyber and physical security assessment tools among federal, state, and local officials. The second system was holding information related to the security assessment of chemical facilities.

Recorded Future News, citing a source with knowledge of the situation, reported that the hacked systems were the Infrastructure Protection (IP) Gateway and the Chemical Security Assessment Tool (CSAT).

The CSAT hosts sensitive industrial information, including the Top Screen tool for high-risk chemical facilities, Site Security Plans and the Security Vulnerability Assessments.

A CISA spokesperson told Recorded Future News that the initial investigation conducted by the government experts revealed that the attackers exploited vulnerabilities in Ivanti products used by the agency.

“The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time,” the spokesperson said.

“This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience.”

Ironically, CISA warned US organizations about attacks exploiting vulnerabilities in Ivanti software. On February 1st, for the first time since its establishment, CISA ordered federal agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure products within 48 hours.

On February 29, CISA warned organizations again that threat actors are exploiting multiple vulnerabilities (CVE-2023-46805CVE-2024-21887, and CVE-2024-21893) in Ivanti Connect Secure and Policy Secure Gateways.

The agency did not provide details about the attack or attribute it to a specific threat actor.

CISA has confirmed that threat actors hacked into the CSAT Ivanti Connect Secure appliance on January 23, 2024, and uploaded a web shell. The US agency confirmed that the threat actor accessed the web shell several times over two days.

“On January 26, CISA identified potentially malicious activity affecting the CSAT Ivanti Connect Secure appliance. During the investigation, we identified that a malicious actor installed an advanced webshell on the Ivanti device. This type of webshell can be used to execute malicious commands or write files to the underlying system.” reads the advisory published by CISA. “Our analysis further identified that a malicious actor accessed the webshell several times over a two-day period. Importantly, our investigation did not identify adversarial access beyond the Ivanti device nor data exfiltration from the CSAT environment.”

The Cybersecurity and Infrastructure Security Agency’s Chemical Security Assessment Tool (CSAT) was hacked by a threat actor from January 23-26, 2024. This intrusion may have resulted in the potential unauthorized access of Top-Screen surveysSecurity Vulnerability AssessmentsSite Security PlansPersonnel Surety Program (PSP) submissions, and CSAT user accounts.

CISA confirmed that the CSAT user accounts contained at minimum, information provided under Personnel Surety Program that must have included an individual’s name, date of birth, and citizenship or gender. Facilities may have chosen to provide additional PII, including aliases, place of birth, passport number, redress number, Global Entry ID number, or Transportation Worker Identification Credential (TWIC) ID number.

CISA immediately took the impacted system offline, isolated the application from the rest of the network, and launched a forensic investigation involving the CISA’s Office of the Chief Information Officer, the Cybersecurity Division’s Threat Hunting team, and the Department of Homeland Security’s Network Operations Center.

The experts did not find evidence of attackers’ access beyond the Ivanti device or data exfiltration from the CSAT environment. All CSAT information was encrypted with AES 256 encryption, however encryption keys were inaccessible to the attackers.

CISA does not have any evidence of data exfiltration, however, the US Agency is notifying all impacted participants in the CFATS program out of an abundance of caution.

“Even without evidence of data exfiltration, the number of potential individuals and organizations whose data was potentially at risk met the threshold of a major incident under the Federal Information Security Modernization Act (FISMA).” concludes the advisory.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, CISA)

you might also like

leave a comment