At a glance.
- Ivanti VPN gateways may still be compromised after factory resets.
- Change Healthcare confirms BlackCat/ALPHV ransomware attack.
- US indicts Iranian national for alleged cyberattacks against State and Treasury Departments.
Ivanti VPN gateways may still be compromised after factory resets.
The US Cybersecurity and Infrastructure Security Agency (CISA) and other Five Eyes agencies warned on Thursday that threat actors who have exploited recent vulnerabilities affecting Ivanti Connect Secure and Policy Secure gateways may be able to maintain root persistence even after the devices have undergone factory resets. Additionally, the advisory notes that "cyber threat actors are able to deceive Ivanti’s internal and external Integrity Checker Tool (ICT), resulting in a failure to detect compromise."
The advisory states, "The authoring organizations encourage network defenders to (1) assume that user and service account credentials stored within the affected Ivanti VPN appliances are likely compromised, (2) hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory, (3) run Ivanti’s most recent external ICT, and (4) apply available patching guidance provided by Ivanti as version updates become available. If a potential compromise is detected, organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory. Based upon the authoring organizations’ observations during incident response activities and available industry reporting, as supplemented by CISA’s research findings, the authoring organizations recommend that the safest course of action for network defenders is to assume a sophisticated threat actor may deploy rootkit level persistence on a device that has been reset and lay dormant for an arbitrary amount of time."