Chemical facilities allegedly face imminent data breach warned by CISA
The Cybersecurity and Infrastructure Security Agency (CISA) recently suffered a data breach, with sensitive information from legacy Oracle cloud servers being potentially stolen. The breach, which occurred in January, was linked to vulnerabilities in Ivanti's Connect Secure VPN, a widely used remote access solution.
The attackers started exploiting the vulnerabilities, CVE-2023-46805 and CVE-2024-21887, as early as December 2024. An unidentified threat actor gained access to CISA's Chemical Security Assessment Tool (CSAT) from January 23 to 26. CISA's scanning systems identified malicious activity on Jan. 26.
The compromise may have resulted in the potential unauthorized access of top-screen surveys, security vulnerability assessments, site security plans, personnel surety program submissions, and CSAT user accounts. During its investigation, CISA determined an advanced webshell was installed on CISA's exploited CSAT Ivanti Connect Secure device on Jan. 23. The webshell, which can execute malicious commands and write files to the underlying system, was accessed by the malicious actor several times over a two-day period.
Despite the intrusion, CISA found no evidence of data theft or lateral movement during the attack. However, the stolen credentials from Oracle legacy servers could allow attackers persistent, undetected enterprise access. The data potentially stolen included usernames, encrypted passwords, key files, and details related to Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems.
Ivanti released a security patch for the CVEs on Jan. 31, but it was too late for CISA. The CSAT system was completely taken offline when the intrusion was discovered in January and will remain offline until the program is reauthorized.
Corporate stakeholders are now focusing on understanding the risk calculus of their technology stacks, with a focus on whether they are potential targets. The attack chain reflects common tactics observed by CISA and the FBI, involving social engineering of IT helpdesks, abuse of multi-factor authentication, remote access tunneling tools, and exploitation of legacy or unpatched vulnerabilities for privilege escalation and data exfiltration.
In response to the breach, CISA has notified organizations representing more than 100,000 people of potential exposure. The notifications were mandated due to the breach meeting the criteria of a major incident involving the unauthorized access of personally identifiable information of at least 100,000 people under the Federal Information Security Management Act of 2002.
CISA maintains that several layers of defense and separation were in place between the exploited Ivanti device and potentially sensitive data, but unauthorized access cannot be definitively ruled out. The agency is working closely with the FBI and other federal partners to investigate the breach and mitigate any potential threats.
- The attack chain, observed by CISA and the FBI, involved exploitation of vulnerabilities, such as CVE-2023-46805 and CVE-2024-21887, in remote access solutions like Ivanti's Connect Secure VPN, which could lead to data exfiltration.
- Despite CISA's assertion that several layers of defense were in place, the stolen credentials from Oracle legacy servers pose a threat of potential, undetected enterprise access due to vulnerabilities in technology systems.
