Agencies have just over 24 hours to shut down any instances of widely used software products that were found to contain major cybersecurity vulnerabilities in January.
In a supplemental directive released Wednesday, the Cybersecurity and Infrastructure Security Agency tells agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure VPN products on their networks by the close of Friday. The latest missive in part supersedes a Jan. 19 emergency directive from CISA telling agencies to remediate the vulnerabilities in those Ivanti products.
In addition to disconnecting the products, CISA is telling agencies to continue threat hunting on any systems that have been recently connected to the affected Ivanti devices.
Agencies should also continue monitoring any authentication or identity management services that could have been exposed; isolate those connected systems from enterprise resources “to the greatest degree possible;” and continue to audit privilege-level access accounts, according to CISA’s directive.
In order to bring the Ivanti products back into service, CISA is directing agencies to follow a series of steps, starting with exporting the configuration settings and completing a factory reset of the product.
Agencies are required to report back to CISA on the status of the required actions by Monday, February 5.
CISA also said agencies running the affected products “must assume domain accounts associated with the affected products have been compromised.” Therefore, by March 1, agencies should “reset passwords twice for on premise accounts, revoke Kerberos tickets, and then revoke tokens for cloud accounts in hybrid deployments,” while cloud-based devices should be disabled “to revoke the device tokens.”
“This supplemental direction remains in effect until CISA determines that all agencies operating affected software have performed all required actions from this direction or the direction is terminated through other appropriate action,” CISA said in its directive.
The Ivanti vulnerabilities have been a rapidly evolving cybersecurity story since the company first released information about the vulnerabilities on Jan. 10.
Earlier this week, CISA warned that hackers had “developed workarounds to current mitigations and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without detection.”
When CISA issued the original emergency directive on Jan. 19, an agency official said the potential exposure to the federal government was “limited,” with about 15 agencies having been found to use the affected Ivanti software.