Analysis Summary

CISA is alerting users to the possibility that private security assessments and plans were exposed in January after threat actors used a webshell on its Ivanti device to compromise the environment of its Chemical Security Assessment Tool (CSAT).

To find out if they are deemed high-risk, facilities use the CSAT web platform to report any substances they may have that could be used for terrorist purposes. A security vulnerability assessment (SVA) and site security plan (SSP) survey containing sensitive facility information will be requested to be uploaded by the user if they are deemed high-risk by the application.

First revealed by cybersecurity researchers in March, CISA experienced a breach when two of its systems were taken offline for investigation due to an exploit of the agency's Ivanti device. The Infrastructure Protection (IP) Gateway and Chemical Security Assessment Tool (CSAT) were involved in the incident according to sources despite CISA's refusal to comment on specifics.

As of now, CISA has verified that on January 23, 2024, the CSAT Ivanti Connect Secure appliance was compromised, enabling a threat actor to upload a web shell to the system. For two days, the threat actor made many accesses to this web shell. After learning of the intrusion, CISA disconnected the device to look into the threat actor's possible actions and the data that might have been exposed.

CISA has pointed to a CISA document about threat actors leveraging various vulnerabilities on Policy Secure Gateway and Ivanti Connect Secure devices but has not disclosed which vulnerabilities were exploited. This document refers to three vulnerabilities that were discovered earlier and swiftly exploited by threat actors. These vulnerabilities are tracked as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. One day before to the breach of CISA's Ivanti device, on January 22, a vulnerability known as CVE-2024-21888 was made public.

Although CISA says that all of the data in the CSAT application is encrypted using AES 256 encryption and that there is no proof that any CSAT data was taken, they chose to alert businesses and individuals out of caution. The number of possible individuals and organizations whose data was theoretically at risk fulfilled the Federal Information Security Modernization Act (FISMA) criteria for a serious event, even in the absence of proof of data exfiltration.

Site security plans, Personnel Surety Program submissions, Security Vulnerability Assessments, Top-Screen surveys, and CSAT user accounts are among the possibly compromised data. These submissions include extremely sensitive data regarding the chemical inventory and security posture of sites that use the CSAT technology. According to CISA, the following data was present in the CSAT user accounts; aliases, nationality, birthplace, redress number, passport number, ID number for Global Entry, and TWIC ID number.

Despite stating that there is no proof of credentials being stolen, CISA advises all CSAT account holders to change the passwords on any of their accounts that they may have previously used. Various notice letters are being sent by CISA based on whether you are an individual or a company.

Impact

• Exposure of Sensitive Data
• Unauthorized Access

Remediation

• Use strong, unique passwords for sensitive accounts. Regularly change passwords for all accounts.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.
• Improve communication with customers by providing timely and transparent updates about data breaches, including what information was compromised and the steps being taken to mitigate the impact.
• Ensure that all vendors and third-party partners adhere to stringent security protocols and regularly assess their cybersecurity practices to minimize the risk of data breaches originating from external sources.
• Provide affected customers with comprehensive support, including credit monitoring services, identity theft detection, and resolution assistance, to help mitigate the potential consequences of the breach.