All federal civilian agencies ordered to disconnect at-risk Ivanti products by Friday
All federal civilian agencies in the U.S. have been ordered to disconnect Ivanti Connect Secure and Policy Secure products by Friday after more vulnerabilities were found in the tools this week.
In an updated directive published on Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) gave agencies until Friday at midnight to remove the tools from their networks and until midnight on Monday to confirm that they had done so.
“Agencies running the affected products must assume domain accounts associated with the affected products have been compromised,” CISA said.
By March 1, agencies have to take a range of technical actions on their network and similarly report it all to CISA.
CISA officials previously told reporters that there are “around 15 agencies that were using these products” but declined to confirm if any dealt with compromises. The agencies using the tools cover “a wide spectrum … across the breadth of the federal mission,” an official said.
CISA said it has “observed some initial targeting of federal agencies” and is investigating each situation.
Ivanti announced on Wednesday that two new vulnerabilities were discovered and CISA said it had seen hackers shift their tactics since the initial mitigation guidance was issued early last month.
Ivanti said “a small number of customers” have been impacted by one of the new vulnerabilities – tagged as CVE-2024-21893.
Mandiant has conducted several incident response investigations and explained in a blog post that most of the initial exploitation was done by espionage threat actors allegedly based in China. Since the bugs were first announced, exploitation has expanded to cybercriminals and others.
Cybersecurity research firm Censys said that as of January 22, over 26,000 unique Connect Secure hosts are exposed on the public internet.
Ivanti released the first batch of patches for the two vulnerabilities on Wednesday but noted that patches for other supported versions will still be released on a staggered schedule.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.