The CISA collaborates with other government agencies to notify victims of breaches and respond to threats. These include the Federal Bureau of Investigation, the Multi-State Information Sharing & Analysis Center, the Australian Signals Directorate’s Australian Cyber Security Centre, the United Kingdom National, the Canadian, and the New Zealand National Cyber Security Centres.
According to the statement published by the CISA, the attacks happened via the Ivanti Connect Secure and Ivanti Policy Secure gateways. The threat actors used the vulnerabilities listed above to deceive and circumvent Ivanti’s internal and external identity checker tools. Upon concluding third-party investigations, officials confirmed that the assailants could regain root-level access despite factory resets to the system.
The attack may have started at the beginning of 2024 when a vendor reported that someone had accessed the system through an unauthorized remote code. Since that report, the CISA has presumably worked with Ivanti to create and implement code patches in response to the attack.
Due to Ivanti’s inability to detect the compromised access, it is unclear what information the assailants may have stolen. Those most at risk in this event utilize Ivanti’s appliances, including the CISA and its affiliated partners.
Although no current impact figure regarding this event is public, the potential for a massive number exists. Like other vendor data breaches (e.g., MOVEit or PJ&A), this event can become massive overnight, impacting millions.