The systems run by the U.S. CISA was breached by threat actors exploiting bugs in Ivanti products.
Ivanti appliances have been under sustained attack this year from multiple threat groups, including at least one espionage cyber gang linked to China. The vendor has issued patches for five high- and critical-severity vulnerabilities affecting its Connect Secure, Policy Secure, and Neurons for Zero Trust Access products.
The day before CISA confirmed two of its systems were breached, it was identified a new threat group dubbed Magnet Goblin observed abusing the bugs to attack Connect Secure appliances.
The CISA systems that hackers breached were the Infrastructure Protection (IP) Gateway and the Chemical Security Assessment Tool (CSAT).
The IP Gateway was officially renamed the CISA Gateway in 2020 and is a web portal used to collect, analyze, and disseminate government information about critical infrastructure. Similarly, CSAT is a portal for information about chemical facilities.
CISA declined to confirm or deny whether the two portals were the systems taken offline as a result of the breach.
CISA said organizations should review an advisory it issued with several partner agencies on Feb. 29 regarding the Ivanti vulnerabilities. The advisory raised concerns that organizations might not detect breaches because threat actors were able to deceive Ivanti’s internal and external Integrity Checker Tool (ICT).
As a result, CISA and its partner agencies said they “strongly urge all organizations to consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment.”
Check Point researchers said their tracking of “the recent wave of Ivanti exploitation” resulted in the discovery of a threat actor they called Magnet Goblin, a financially motivated gang adept at leveraging 1-day vulnerabilities — bugs that have been disclosed but not yet patched.
Magnet Goblin rapidly adopts newly disclosed vulnerabilities, notably targeting platforms such as Ivanti Connect Secure VPN, Magento, Qlik Sense, and possibly Apache ActiveMQ.
Researcherd said the suite of malware used by Magnet Goblin was as diverse as it is dangerous. Their sophisticated toolkit included NerbianRAT, a cross-platform remote access trojan for Windows and Linux, open-source tunneling tool Ligolo, and WARPWIRE, a JavaScript credential stealer.
This suite enables a wide range of cyber attacks, from data theft to sustained access within compromised networks.
