The U.S. Cybersecurity and Infrastructure Security Agency (CISA) experienced a breach last month as hackers exploited vulnerabilities in Ivanti products. Ivanti appliances have been targeted by various threat groups, including an espionage cyber gang linked to China. Since January, Ivanti has issued patches for five high- and critical-severity vulnerabilities in Connect Secure, Policy Secure, and Neurons for Zero Trust Access products. Check Point researchers identified a new threat group, Magnet Goblin, abusing these vulnerabilities, targeting Connect Secure appliances. CISA confirmed the breach, with two systems taken offline—the Infrastructure Protection Gateway and the Chemical Security Assessment Tool. While CISA did not confirm the affected portals, it urged organisations to review an advisory issued on Feb. 29 about Ivanti vulnerabilities, emphasising the risk of adversary access. Magnet Goblin, a financially motivated group, stands out for its rapid adoption of 1-day vulnerabilities, using a diverse and sophisticated malware suite, including NerbianRAT, Ligolo, and WARPWIRE, enabling various cyber attacks.

Key Highlights:

CISA breached due to Ivanti product vulnerabilities

Ivanti appliances targeted by multiple threat groups

Patches issued for five high- and critical-severity vulnerabilities since January

Check Point identifies Magnet Goblin as a threat group exploiting Ivanti vulnerabilities

CISA confirms breach, taking offline the Infrastructure Protection Gateway and Chemical Security Assessment Tool

CISA urges organisations to review advisory on Ivanti vulnerabilities

Magnet Goblin stands out for rapid adoption of 1-day vulnerabilities and a diverse, sophisticated malware suite

Now, this is some controls on how CISA or any organisation could enhance their security measures to avoid similar attacks:

Regular Security Audits and Patch Management:

Conduct regular security audits to identify vulnerabilities.

Ensure timely patching of software and systems to address known vulnerabilities.

Employee Training and Awareness:

Train employees on cybersecurity best practices, including recognizing phishing attempts and avoiding malicious links.

Network Segmentation:

Implement network segmentation to contain potential breaches and limit lateral movement within the network.

Zero Trust Security Model:

Adopt a Zero Trust security model, where no entity, whether inside or outside the network, is trusted by default.

Incident Response Plan:

Develop and regularly update an incident response plan to ensure a swift and effective response to security incidents.

Multi-Factor Authentication (MFA):

Enforce the use of multi-factor authentication to add an extra layer of security for accessing sensitive systems.

Continuous Monitoring:

Implement continuous monitoring of network traffic and system logs to detect and respond to suspicious activities in real-time.

Collaboration and Information Sharing:

Foster collaboration with other organisations and share threat intelligence to stay informed about emerging threats.

Vendor Risk Management:

Evaluate and manage the security risks associated with third-party vendors, ensuring they follow best security practices.

Regular Security Training and Drills:

Conduct regular security training sessions and simulated drills to test the effectiveness of security measures and improve incident response capabilities.

Remember, cybersecurity is an ongoing process, and staying vigilant, proactive, and adaptive to emerging threats is crucial for maintaining a robust security posture.

Source and further reading:

Hendery, S. (2024, March 11). CISA breached by hackers exploiting Ivanti bugs. SC Media. https://www.scmagazine.com/news/cisa-breached-by-hackers-exploiting-ivanti-bugs

CISA forced to take two systems offline last month after Ivanti compromise. (n.d.). https://therecord.media/cisa-takes-two-systems-offline-following-ivanti-compromise