CISA issues emergency directive for federal agencies to patch Ivanti VPN vulnerabilities | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cisa-ivanti-vulnerability-emergency-directive\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"CISA issues emergency directive for federal agencies to patch Ivanti VPN vulnerabilities\"> <meta property=\"og:description\" content=\"The agency says the bug is being actively exploited and poses a risk to federal networks.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cisa-ivanti-vulnerability-emergency-directive\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-01-19T22:13:10+00:00\"> <meta name=\"author\" content=\"Christian Vasquez\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/cisa-issues-emergency-directive-for-federal-agencies-to-patch-ivanti-vpn-vulnerabilities-2.jpg\"> <meta name=\"twitter:creator\" content=\"@chrismvasq\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1701905043g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1705595524g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1705882623g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=7dab012cdc88b5676610\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/78842\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.4.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=78842\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-ivanti-vulnerability-emergency-directive%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcisa-ivanti-vulnerability-emergency-directive%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-78842 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/cisa-ivanti-vulnerability-emergency-directive\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"23.447272727273\">\n<div class=\"single-article__header-content\" readability=\"28.193832599119\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/government\/\"> <span>Government<\/span> <\/a> <\/li>\n<\/ul>\n<p> The agency says the bug is being actively exploited and poses a risk to federal networks. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/cisa-issues-emergency-directive-for-federal-agencies-to-patch-ivanti-vpn-vulnerabilities.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/cisa-issues-emergency-directive-for-federal-agencies-to-patch-ivanti-vpn-vulnerabilities-2.jpg 8640w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/cisa-issues-emergency-directive-for-federal-agencies-to-patch-ivanti-vpn-vulnerabilities-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/cisa-issues-emergency-directive-for-federal-agencies-to-patch-ivanti-vpn-vulnerabilities-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/cisa-issues-emergency-directive-for-federal-agencies-to-patch-ivanti-vpn-vulnerabilities-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/cisa-issues-emergency-directive-for-federal-agencies-to-patch-ivanti-vpn-vulnerabilities-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/cisa-issues-emergency-directive-for-federal-agencies-to-patch-ivanti-vpn-vulnerabilities-2.jpg?resize=2048,1365 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/cisa-issues-emergency-directive-for-federal-agencies-to-patch-ivanti-vpn-vulnerabilities-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/cisa-issues-emergency-directive-for-federal-agencies-to-patch-ivanti-vpn-vulnerabilities-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/cisa-issues-emergency-directive-for-federal-agencies-to-patch-ivanti-vpn-vulnerabilities-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/cisa-issues-emergency-directive-for-federal-agencies-to-patch-ivanti-vpn-vulnerabilities-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/cisa-issues-emergency-directive-for-federal-agencies-to-patch-ivanti-vpn-vulnerabilities-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> IT engineer working on computer. (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"44.086647411686\"><body readability=\"90.203627569528\"><\/p>\n<p>The Cybersecurity and Infrastructure Security Agency issued an emergency directive Friday for federal agencies to patch their systems against an active zero-day exploit in a piece of virtual private network software.<\/p>\n<p>The <a href=\"https:\/\/www.cisa.gov\/news-events\/directives\/ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure-vulnerabilities\">emergency directive<\/a> concerns a series of vulnerabilities around Ivanti Connect Secure VPN and Policy Secure products that were publicly released by the Utah-based software company on Jan. 10. The emergency directive is the <a href=\"https:\/\/www.cisa.gov\/news-events\/directives\">first of the year<\/a>. <\/p>\n<p>\u201cAt this point, we are investigating the potential targeting of agencies but have not confirmed any compromises,\u201d Eric Goldstein, executive assistant director for cybersecurity at CISA, said during a media call Friday.<\/p>\n<p>Goldstein said that CISA is aware of \u201c15 agencies or so\u201d that were using the vulnerable devices, but that those agencies quickly mitigated the bugs. Goldstein said that the campaign appears to be largely opportunistic.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cWhat we and industry have seen so far is actors deploying web shells, which, of course, are snippets of code that enable the actor to maintain some persistence on the device and use it later to do any number of activities,\u201d Goldstein said.<\/p>\n<p>Goldstein said that \u201cimmediately\u201d following the disclosure by Ivanti, CISA began communicating with federal agencies, including holding multiple calls with security operation centers.<\/p>\n<p>So far, the campaign has impacted at least <a href=\"https:\/\/www.volexity.com\/blog\/2024\/01\/15\/ivanti-connect-secure-vpn-exploitation-goes-global\/\">2,100 devices worldwide<\/a>, according to the cybersecurity firm Volexity, which first saw the exploitation during the first week of December. Volexity attributed the initial campaign to an unknown <a href=\"https:\/\/www.volexity.com\/blog\/2024\/01\/10\/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn\/\">Chinese nation-state group<\/a> that is being tracked as UTA0178. However, since the initial exploitation many other threat groups have joined in, the firm noted. <\/p>\n<p>CISA has not attributed any actor to the campaign and Goldstein said during the call that they have not seen any evidence of Beijing exploiting the vulnerabilities on federal agency networks. However, Chinese state hackers have <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa22-158a\">previously targeted<\/a> Ivanti products.<\/p>\n<p>Additionally, the cybersecurity firm GreyNoise found that hackers were <a href=\"https:\/\/www.greynoise.io\/blog\/ivanti-connect-secure-exploited-to-install-cryptominers\">deploying cryptominers<\/a> on vulnerable Ivanti devices.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p><a href=\"https:\/\/forums.ivanti.com\/s\/article\/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US\">Ivanti noted<\/a> that they are \u201caware of less than 20 customers impacted by the vulnerabilities prior to public disclosure.\u201d Additionally, the firm stated that they don\u2019t have any evidence that this was a supply chain attack.<\/p>\n<p>CISA said it has observed \u201cwidespread and active exploitation\u201d of the Ivanti vulnerabilities which, if exploited together, could lead to a full compromise of networks. Federal executive civilian branch agencies \u2014 which make up the government departments and agencies that fall outside of military and intelligence \u2014 are expected to meet the deadline before Tuesday.<\/p>\n<p>Ivanti released a temporary mitigation through a file that can be imported into the impacted software, but a permanent patch has yet to be issued. When that patch is issued, agencies are expected to follow additional directions from CISA, Goldstein said. The federal agencies are also required to run an external tool from Ivanti that checks for compromises, CISA noted. <a href=\"https:\/\/www.volexity.com\/blog\/2024\/01\/18\/ivanti-connect-secure-vpn-exploitation-new-observations\/\">Volexity found<\/a> that the internal tool from Ivanti was being modified in a way that it could not detect any compromise.<\/p>\n<p>Last Friday, the cybersecurity firm Mandiant <a href=\"https:\/\/www.mandiant.com\/resources\/blog\/suspected-apt-targets-ivanti-zero-day\">released a blog<\/a> on the exploitation of the bugs, detailing the five malware strains that were used for espionage and to establish persistence. The Google-owned firm did not attribute the exploitation to any particular group or location, and is using the name \u201cUNC5221\u201d for the cluster of activity. However, the firm suspects that the campaign is a nation-state group that is motivated by espionage.<\/p>\n<p>\u201cUNC5221\u2019s activity demonstrates that exploiting and living on the edge of networks remains a viable and attractive target for espionage actors,\u201d the firm wrote. \u201cAs we have previously reported, the combination of zero-day exploitation, edge device compromise, use of compromised C2 infrastructure, and detection evasion methods such as writing code to legitimate files have become a hallmark of espionage actors\u2019 toolboxes.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.386301369863\">\n<div class=\"author-card\" readability=\"9\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/cisa-issues-emergency-directive-for-federal-agencies-to-patch-ivanti-vpn-vulnerabilities-1.jpg?w=640&ssl=1\" alt=\"Christian Vasquez\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Christian Vasquez<\/h4>\n<p> Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&E News at POLITICO covering cybersecurity in the energy sector. Reach out: christian.vasquez at cyberscoop dot com <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/cisa-ivanti-vulnerability-emergency-directive\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA issues emergency directive for federal agencies to patch Ivanti<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[271,452,293,624,117,1394,288],"tags":[277,454,299,629,119,1395,294],"class_list":["post-2399","post","type-post","status-publish","format-standard","hentry","category-china","category-cybersecurity-and-infrastructure-security-agency-cisa","category-department-of-homeland-security-dhs","category-espionage","category-government","category-ivanti","category-threats","tag-china","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-department-of-homeland-security-dhs","tag-espionage","tag-government","tag-ivanti","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/china\/\" rel=\"category tag\">China<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/department-of-homeland-security-dhs\/\" rel=\"category tag\">Department of Homeland Security (DHS)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/espionage\/\" rel=\"category tag\">espionage<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ivanti\/\" rel=\"category tag\">Ivanti<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2399","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2399"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2399\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2399"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2399"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2399"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":2399,"date":"2024-01-19T22:13:10","date_gmt":"2024-01-19T22:13:10","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=78842"},"modified":"2024-01-19T22:13:10","modified_gmt":"2024-01-19T22:13:10","slug":"cisa-issues-emergency-directive-for-federal-agencies-to-patch-ivanti-vpn-vulnerabilities","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/01\/19\/cisa-issues-emergency-directive-for-federal-agencies-to-patch-ivanti-vpn-vulnerabilities\/","title":{"rendered":"CISA issues emergency directive for federal agencies to patch Ivanti VPN vulnerabilities"},"content":{"rendered":"