The federal cybersecurity agency in the US has shut down two essential computer systems after it discovered that hackers breached its network.
According to US officials familiar with the situation, one of the compromised systems at the US Cybersecurity and Infrastructure Security Agency (CISA) operated a critical program used by federal, state, and local officials to exchange tools for assessing cyber and physical threats. The second system contained detailed information regarding the security assessments of facilities handling chemicals.
CISA has yet to confirm which systems were taken offline, but a CISA spokesperson highlighted that the hack was limited to the two systems that the agency shut down.
“We continue to upgrade and modernize our systems, and there is no operational impact at this time.” a CISA spokesperson said in a statement. “This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience.”
It’s not clear who’s behind the hack, but it was executed by exploiting flaws in widely used virtual private networking software developed by Ivanti, a Utah-based IT company.
The agency pointed to an advisory it released on February 29, alerting them to threat actors exploiting known vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. The advisory specifically underlines vulnerabilities identified as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893.
Hackers managed to steal login credentials from Ivanti devices, in some instances gaining complete domain control.
CISA said at the time that “Ivanti’s internal and previous external ICT failed to detect compromise. In addition, CISA has conducted independent research in a lab environment validating that the Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets.”
“The authoring organizations strongly urge all organizations to consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment,” the agency said.