Ivanti CEO Promises Stronger Security After a Year of Flaws
The chief executive of vulnerability-plagued Ivanti said the management software maker is revamping its security practices after months of reports of China-linked and other attackers exploiting the flaws.
In an open letter to customers and partners, accompanied by a six-minute video, CEO Jeff Abbot wrote that “events in recent months have been humbling” and that he was outlining “actions we are taking to ensure we emerge stronger, and our customers are more secure.”
“We and many others in our industry have witnessed, firsthand, the increasing complexity of the threat landscape and the specific evolution of threat-actor tactics,” Abbot wrote. “This activity has brought one of our products to the forefront of conversation regarding recently reported security incidents.”
Among the steps the company is taking is adhering to Secure-by-Design principles advocated by CISA and other government agencies. That’s a key part of the White House’s larger directive to ramp up the country’s cybersecurity capabilities and shift the responsibility of ensuring that technology is secure from end users to vendors.
“Our focus is on embedding security into every stage of the software development lifecycle, with robust processes that anticipate and preemptively address potential vulnerabilities from product inception to deployment and beyond,” Abbott wrote, adding that will include threat modeling to ensure that security is integrated into every part of the company’s products.
More Security, User Support
Ivanti also is modernizing the network security products, explained Abbott, such as in Ivanti Connect Secure, Policy Secure, and ZTA (Zero Trust Access). The company expects to invest more in product security – including expanding its security teams – improving its scanning and testing capabilities, enhancing the bug bounty program, delivering more support to users and sharing more information with customers.
In addition, the vendor is creating a Customer Advisory Board to give users greater input into such areas as product development, feature priorities, security and product roadmaps.
“The challenges we face are not unique in the software industry and we are committed to taking the necessary steps to lead the way for others,” Abbott wrote. “Threat actors are constantly evolving – know that we will be too.”
How all this will fly with users remains to be seen. Ivanti has disclosed multiple security vulnerabilities since the beginning of the year. Those users have and read reports indicating that threat groups linked to China and other more financially motivated bad actors have converged on the problem products.
The day before Abbott posted his letter and video, Ivanti disclosed four new bugs (CVE-2024-21894, CVE-2024-22052, CVE-2024-22053, and CVE-2024-22023) in its Connect Secure – formerly known as Pulse Connect Secure – and Policy Secure gateways, and it provided patches for them. Those are the same products that have been under siege since Ivanti announced the first flaws in January.
Ivanti officials said they hadn’t seen the latest vulnerabilities exploited in the wild.
China at the Gates
The day after the letter was posted, security researchers with Google-owned Mandiant, who have been diving deep into the Ivanti vulnerabilities and the cybercriminals targeting them, wrote that multiple China-linked groups, including the notorious Volt Typhoon, exploited three of the earlier flaws in Ivanti software: CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. The attackers used a range of malware and tools.
The Volt Typhoon Chinese state-sponsored group that CISA said in February that it had infiltrated computers and networks of critical infrastructure organizations in the United States, essentially lying in wait until they time were told to disrupt operations if a conflict between the two world powers broke out.
“Mandiant has observed different types of post-exploitation activity across our incident response engagements, including lateral movement supported by the deployment of open-source tooling and custom malware families,” the researchers wrote. “In addition, we’ve seen these suspected China-nexus actors evolve their understanding of Ivanti Connect Secure by abusing appliance-specific functionality to achieve their objectives.”
Plugging the Holes
The risks raised by the Ivanti vulnerabilities convinced CISA in early February to order federal civilian agencies to disconnect from Secure Connect and Policy Secure. That was followed by various reports from CISA, Mandiant and other cybersecurity firms, including Veloxity, about ongoing attempts to exploit the vulnerabilities.
Eventually, the flaws caught up to CISA, which in February had to take two systems offline after an Ivanti vulnerability was exploited.
Ivanti’s Abbott is hoping to put all this in the past.
“We will use this opportunity to begin a new era at Ivanti,” Abbott wrote. “We have challenged ourselves to look critically at every phase of our processes, and every product, to ensure the highest level of protection for our customers. We have already begun applying learnings from recent incidents to make immediate improvements to our own engineering and security practices. And there is more to come.”