Irony of Ironies: CISA Hacked — ‘by China’
U.S. Cybersecurity and Infrastructure Security Agency penetrated in February, via vuln in Ivanti.
CISA had to take down two important systems last month after an Ivanti bug was exploited. The U.S. agency won’t say whodunnit, but it had previously fingered China. Sounds like they just didn’t take their own good advice—don’t you think?
Agency director Jen Easterly (pictured) is a bit red faced. In today’s SB Blogwatch, we shelter from the rain on your wedding day.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Lazy water.
Free Rides and Traffic Jams
What’s the craic? Jonathan Greig and Suzanne Smalley report—“CISA forced to take two systems offline”:
“Country’s most sensitive industrial information”
A CISA spokesperson confirmed … the agency “identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses. … The impact was limited to two systems, which we immediately took offline.” … Since 2020, CISA has warned organizations of state-backed hackers — including ones linked to China — exploiting vulnerabilities in Ivanti products.
…
CISA declined to answer a range of questions about who was behind the incident, whether data had been accessed or stolen and what systems were taken offline. [But] a source [said] the two systems compromised were the Infrastructure Protection (IP) Gateway, which houses critical information about the interdependency of U.S. infrastructure, and the Chemical Security Assessment Tool (CSAT), which houses private sector chemical security plans. … CSAT houses some of the country’s most sensitive industrial information, including the Top Screen tool for high-risk chemical facilities, Site Security Plans and the Security Vulnerability Assessments.
Can you imagine how the mainstream media is covering this? You don’t need to, because here’s Sean Lyngaas—“Top US cybersecurity agency hacked”:
“Some irony in it”
One of the US Cybersecurity and Infrastructure Security Agency’s affected systems runs a program that allows federal, state and local officials to share cyber and physical security assessment tools, according to … US officials briefed on the matter. … A CISA spokesperson said in a statement that “there is no operational impact at this time.”
…
While there is some irony in it, even cybersecurity agencies or officials can be victims of hacking. After all, they rely on the same technology that others do.
C’mon, surely someone’s coined a silly name for these “threat actors”? Hear Jessica Lyons roar—“Magnet Goblin bursts onto the scene exploiting Ivanti holes”:
“Volt Typhoon”
A new, financially motivated gang dubbed Magnet Goblin has emerged from the shadowy digital depths with a knack for rapidly exploiting newly disclosed vulnerabilities. [CISA] initially linked these attacks to Chinese government-sponsored crews, including Bejing-backed Volt Typhoon.
…
The crooks appear to have hit vulnerable Ivanti Connect Secure VPN servers. … Make sure you’re patched or have mitigations in place, and have checked for indications of compromise, if you’re using Ivanti gear to secure your stuff.
Horse’s mouth? Sergey Shykevich speaks:
Magnet Goblin’s hallmark is its ability to swiftly leverage newly disclosed vulnerabilities. … In some cases, the deployment of the exploits is within 1 day after a POC is published. [It] signifies a profound threat to digital infrastructures worldwide.
…
At the heart of Magnet Goblin’s strategy lies … the download and deployment of an ELF file which turned out to be a Linux version of NerbianRAT, … WARPWIRE, a JavaScript credential stealer, … and Ligolo, an open-source tunneling tool written in GO, … showcasing the actor’s sophisticated approach to cyber intrusion.
…
Organizations must prioritize patch management to address vulnerabilities promptly, enhance monitoring to detect early signs of intrusion, and foster cyber security awareness among their teams. … The activities of groups like Magnet Goblin serve as a stark reminder of the perpetual arms race between cybercriminals and defenders.
Sounds like Ivanti could have done better. So says Slayer:
We don’t expect a web site on which mom&pop sell hand painted coffee mugs to withstand Cozy Bear or APT28. Neither does your car have the safety standards of a nuclear power plant. However, one would expect the likes of Solarwinds, Microsoft, Iventa, Cisco, Equifax and Ipswitch to withstand such attacks. And especially the ****ing US Cyber Security Agency!
…
We should … demand that basic infrastructure and network management software follows higher standards and … foregoes the latest hot features in order to guarantee a solid product. [And] that companies responsible for such products have processes in place that prevent lame passwords (SolarWinds) … or hardcoded admin passwords … (Cisco and Juniper).
…
We will not be able to prevent such occurrences, but if the consequences [were] at the same level as … for Boeing after the “door fell out” incident, then I guarantee you: We wouldn’t be reading about such incidents on a nearly daily basis.
And so could CISA. u/FoundationSouth6740 is mad as hell:
Practice what you preach: … CISA has been pushing for legislation to get private companies to report their breaches within 72 Hours (CIRCIA Act of 2022). Their reporting form wants you to share everything and everyone involved.
…
Now, when faced with their own cyber incident, they are silent: … ”CISA declined to answer a range of questions about who was behind the incident, whether data had been accessed or stolen and what systems were taken offline.”
…
Hard isn’t it, CISA? Hope this gives you some humbling insight. … Our government institutions need oversight and rails, not an unlimited checkbook and unlimited regulations over every business in the US.
Big target on its back, though. bill_mcgonigle has old advice:
TL;DR: If you can route to it, you can’t protect it.
…
CISA is high profile, so anything they put online will be targeted and eventually exploited. … They could try being less creepy and they might get fewer attackers, to get that probability down.
Sauce for the goose? Have a gander at u/sporks_and_forks:
A funny (sad) example: … The SEC would tweet about the importance of security, of MFA, etc., only to get their account taken over and a fake ETF-related tweet pushed out, all because they did not have MFA enabled themselves.
Meanwhile, nijam has now heard it all:
“Vulnerable Ivanti Connect Secure VPN.” — There in a nutshell: A phrase that summarises the state of IT “security.”
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: U.S. CISA