The Cybersecurity and Infrastructure Security Agency issued an emergency directive Friday ordering Federal Civilian Executive Branch agencies to mitigate vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure devices.
A suspected nation-state hacker has chained two vulnerabilities together and injected webshells into more than 2,100 systems across a range of private sector companies and government agencies since December.
The attacks allow the hackers to gain persistent system access, enabling data exfiltration, credential theft and other malicious activity.
Federal agencies have been targeted as part of the exploitation activity, according to Eric Goldstein, executive assistant director for cybersecurity at CISA, but he said it is too soon to confirm any specific compromise.
The U.S. government has not formally attributed it to any foreign government, but acknowledged the activity is similar to previous threat activity from the People’s Republic of China, including the Volt Typhoon campaign in 2023.
About 15 federal agencies are running the affected products, and are required to take immediate mitigation measures to protect their systems.
Goldstein said officials do not expect a “significant risk” from using these products, but acknowledges the risk is not zero.
The U.S. government previously issued a similar directive after APT actors were targeting Pulse Secure devices for malicious activity, and officials scaled back use of some of these devices after those attacks.
By 11:59 p.m. on Monday the agencies must download an XML file from Ivanti as part of the mitigation steps and run the company’s External Integrity Checker Tool, which is designed to help determine whether a product has been compromised.
If a compromise is found, the product must be disconnected from the agency network and immediately reported to CISA.
Ivanti is working with Mandiant on efforts to mitigate the vulnerabilities. An initial patch is expected next week.
Ivanti said it supports the emergency directive and helped CISA issue the mitigation language to make sure these customers properly secure their environments.
“When an incident occurs, our focus is on getting the information to our customers as quickly as possible,” a spokesperson said in an emailed statement. “Additionally, we also work with CERTs globally to ensure transparency.”