CISA breach: Hackers gained access to chemical sector's vulnerability assessments

Cybersecurity agency's cybersecurity appliance breached (yes, everything is broken) but no exfiltration seen says CISA 

CISA breach: Hackers gained access to chemical sector's vulnerability assessments

Hackers gained access to the (encrypted) security vulnerability assessments of critical US chemical facilities after breaching federal cybersecurity agency CISA via a network security appliance.

CISA said that its Chemical Security Assessment Tool (CSAT) was breached in January after attackers compromised a Ivanti Connect Secure appliance and “installed an advanced webshell on the Ivanti device.”

An initially alarming-looking notification by the agency, made because this meets the “threshold of a major incident under the Federal Information Security Modernization Act (FISMA)” looks a little less worrying on closer inspection: Data was encrypted and not exfiltrated, it said on June 24.

The CISA breach "may have resulted in the potential unauthorized access of Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program (PSP) submissions, and CSAT user accounts” the Cybersecurity and Infrastructure Security Agency said

See also: 20,000 Fortinet devices breached by Chinese hackers – reboots, firmware updates no defence

But its investigation “did not identify adversarial access beyond the Ivanti device nor data exfiltration from the CSAT environment,” CISA said today.

Better: “All information in CSAT was encrypted using AES 256 encryption, and information from each application had additional security controls limiting the likelihood of lateral access. Encryption keys were hidden from the type of access the threat actor had to the system,” it added.

The incident makes CISA the latest US agency to fall victim to compromise of an Ivanti Connect appliance however, joining MITRE, which reported a breach resulting from compromise of the same product in April 2024.

(The MITRE attackers then managed to pivot to its VMware environment and compromise a “virtual development environment for all military branches and their respective weapons systems” called NERVE.) 

CISA has called on all Ivanti customers to “please review Cybersecurity Alert (AA24-060B) Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways” among other actions.

See also: 13,000 unpatched Ivanti appliances exposed as attacks escalate, firmware analysis shocks users