CISA orders Ivanti devices targeted by Chinese hackers be disconnected | CyberScoop<\/title> <meta name=\"description\" content=\"An updated emergency directive includes instructions on how to bring affected devices back online securely.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/ivanti-connect-secure-china\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"CISA orders Ivanti devices targeted by Chinese hackers be disconnected\"> <meta property=\"og:description\" content=\"An updated emergency directive includes instructions on how to bring affected devices back online securely.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/ivanti-connect-secure-china\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-02-01T20:30:56+00:00\"> <meta property=\"article:modified_time\" content=\"2024-02-01T20:30:57+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cisa-orders-ivanti-devices-targeted-by-chinese-hackers-be-disconnected-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1281\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"AJ Vicens\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@AJVicens\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1706643139g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/_static\/??\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css,\/wp-content\/plugins\/embedpress\/Gutenberg\/dist\/blocks.style.build.css?m=1706739156\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/_static\/??\/wp-content\/plugins\/embedpress\/assets\/css\/embedpress.css,\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1706739156\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=b50a7fc68d02387a0cbc\" media=\"all\">\n<link rel=\"stylesheet\" id=\"all-css-10\" href=\"https:\/\/cyberscoop.com\/_static\/??\/wp-includes\/css\/dashicons.min.css,\/wp-content\/plugins\/embedpress\/assets\/css\/plyr.css?m=1706739156\" type=\"text\/css\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/79019\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.4.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=79019\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fivanti-connect-secure-china%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fivanti-connect-secure-china%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-79019 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/ivanti-connect-secure-china\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.500992063492\">\n<div class=\"single-article__header-content\" readability=\"30.13698630137\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/government\/\"> <span>Government<\/span> <\/a> <\/li>\n<\/ul>\n<p> An updated emergency directive includes instructions on how to bring affected devices back online securely. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"427\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cisa-orders-ivanti-devices-targeted-by-chinese-hackers-be-disconnected.jpg?resize=640%2C427&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cisa-orders-ivanti-devices-targeted-by-chinese-hackers-be-disconnected-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cisa-orders-ivanti-devices-targeted-by-chinese-hackers-be-disconnected-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cisa-orders-ivanti-devices-targeted-by-chinese-hackers-be-disconnected-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cisa-orders-ivanti-devices-targeted-by-chinese-hackers-be-disconnected-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cisa-orders-ivanti-devices-targeted-by-chinese-hackers-be-disconnected-2.jpg?resize=1536,1025 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cisa-orders-ivanti-devices-targeted-by-chinese-hackers-be-disconnected-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cisa-orders-ivanti-devices-targeted-by-chinese-hackers-be-disconnected-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cisa-orders-ivanti-devices-targeted-by-chinese-hackers-be-disconnected-2.jpg?resize=505,337 505w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cisa-orders-ivanti-devices-targeted-by-chinese-hackers-be-disconnected-2.jpg?resize=1012,675 1012w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cisa-orders-ivanti-devices-targeted-by-chinese-hackers-be-disconnected-2.jpg?resize=1264,843 1264w\" sizes=\"(max-width: 1012px) 100vw, 1012px\"><figcaption> Director of the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency Jen Easterly prepares to testify at a House Select Committee on the Chinese Communist Party hearing on Capitol Hill in Washington, DC, on January 31, 2024. (Photo by Julia Nikhinson \/ AFP) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"33.856994549702\"><body readability=\"68.897050639955\"><\/p>\n<p>Any federal agency running Ivanti Connect Secure or Ivanti Policy Secure devices must disconnect them from their networks before midnight Friday, the United States\u2019s top civilian cyber defense agency <a href=\"https:\/\/www.cisa.gov\/news-events\/directives\/supplemental-direction-v1-ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure\">said Wednesday<\/a> amid reports the vulnerable devices are being targeted by espionage operations linked to China. <\/p>\n<p>Last month, CISA <a href=\"https:\/\/www.cisa.gov\/news-events\/directives\/ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure-vulnerabilities\">warned<\/a> that the vulnerable Ivanti devices were subject to \u201cwidespread exploitation of vulnerabilities by multiple threat actors.\u201d On Wednesday, the agency <a href=\"https:\/\/www.cisa.gov\/news-events\/directives\/supplemental-direction-v1-ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure\">issued new instructions<\/a> for how to update and bring those devices back online. <\/p>\n<p>A CISA spokesperson did not immediately respond to a question about how many instances of Ivanti\u2019s affected product are present in federal networks. <\/p>\n<p>The CISA directive comes amid growing concern in Washington about Chinese cyberoperations. Separately on Wednesday, senior U.S. national security officials <a href=\"https:\/\/cyberscoop.com\/chinese-cyber-threats-fbi-operation-botnet\/\">warned a Congressional panel<\/a> that China\u2019s aggressive cyber operations are not only aimed at gathering intelligence but also to preposition in critical civilian-focused U.S. networks in the event of military conflict.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Chinese hackers appear to be exploiting the Ivanti vulnerabilities to carry out espionage. Researchers with <a href=\"https:\/\/www.mandiant.com\/resources\/blog\/investigating-ivanti-zero-day-exploitation\">Google\u2019s Mandiant wrote in a blog post Wednesday<\/a> that they\u2019d identified \u201cbroad exploitation activity\u201d by suspected Chinese-linked espionage hackers they track as \u201cUNC5221,\u201d as well as other uncategorized attackers. <\/p>\n<p>Cybersecurity experts said the CISA directive appeared aimed at definitively cutting off Ivanti devices as a way to target the U.S. government. <\/p>\n<p>\u201cI think what it largely boils down to is that CISA likely does not want to have ambiguity as to whether an Ivanti Connect Secure VPN appliance is compromised or not,\u201d said Steven Adair, president of cybersecurity firm Volexity. \u201cGiven the multitude of vulnerabilities in the last month, the best way to go about that is to taken the systems offline, factory reset the device, start with a fresh build, and apply the latest patches.\u201d<\/p>\n<p>Ivanti <a href=\"https:\/\/forums.ivanti.com\/s\/article\/Recovery-Steps-Related-to-CVE-2023-46805-and-CVE-2024-21887?language=en_US\">has<strong> <\/strong>issued guidance on remediating issues<\/a> with the devices based on the latest knowledge of how the attacks work. The company did not respond to a request for comment Thursday.<\/p>\n<p>Last month \u2014 before CISA\u2019s first directive regarding Ivanti devices \u2014 Adair and his team <a href=\"https:\/\/www.volexity.com\/blog\/2024\/01\/10\/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn\/\">published research<\/a> detailing what was then an \u201cactive in-the-wild exploitation\u201d of two Ivanti vulnerabilities that made it \u201ctrivial for attackers to run commands on the system\u201d and ultimately pivot to a handful of systems internally and gain \u201cunfettered access to systems on the network.\u201d That operation dates back to the second week of December 2023, according to the Volexity researchers.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cThis is the first emergency directive issued by the Cybersecurity and Infrastructure Security Agency in almost two years, highlighting the criticality of the situation,\u201d Glenn Thorpe, senior director of security research and detection engineering with Greynoise, told CyberScoop in an email Thursday.<\/p>\n<p>Ron Bowes, Greynoise\u2019s lead security researcher, added that Ivanti Connect Secure is designed to be internet-facing and to bridge the internet to a secure network, \u201cwhich makes it a very good target.\u201d Exploitation of one of the vulnerabilities \u2014 tracked as CVE-2024-21887 \u2014 is \u201cquite simple,\u201d Bowes said.<\/p>\n<p>More than 85% of the known zero-day vulnerabilities exploited by Chinese state-sponsored hackers since 2021 were in public-facing appliances such as firewalls and VPN products, Recorded Future\u2019s Insikt Group wrote in <a href=\"https:\/\/go.recordedfuture.com\/hubfs\/reports\/cta-2023-1107.pdf\">a November 2023 report<\/a>. <\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.0523255813953\">\n<div class=\"author-card\" readability=\"8\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cisa-orders-ivanti-devices-targeted-by-chinese-hackers-be-disconnected-1.jpg?w=640&ssl=1\" alt=\"AJ Vicens\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by AJ Vicens<\/h4>\n<p> AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal\/WhatsApp: (810-206-9411). <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/ivanti-connect-secure-china\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA orders Ivanti devices targeted by Chinese hackers be disconnected<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[452,866,117,1394,288,1170],"tags":[454,869,119,1395,294,1171],"class_list":["post-2464","post","type-post","status-publish","format-standard","hentry","category-cybersecurity-and-infrastructure-security-agency-cisa","category-federal","category-government","category-ivanti","category-threats","category-zero-days","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-federal","tag-government","tag-ivanti","tag-threats","tag-zero-days"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/federal\/\" rel=\"category tag\">Federal<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ivanti\/\" rel=\"category tag\">Ivanti<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/zero-days\/\" rel=\"category tag\">zero-days<\/a>","tag_info":"zero-days","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2464","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2464"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2464\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2464"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2464"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2464"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":2464,"date":"2024-02-01T20:30:56","date_gmt":"2024-02-01T20:30:56","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=79019"},"modified":"2024-02-01T20:30:56","modified_gmt":"2024-02-01T20:30:56","slug":"cisa-orders-ivanti-devices-targeted-by-chinese-hackers-be-disconnected","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/02\/01\/cisa-orders-ivanti-devices-targeted-by-chinese-hackers-be-disconnected\/","title":{"rendered":"CISA orders Ivanti devices targeted by Chinese hackers be disconnected"},"content":{"rendered":"