The U. S. Cybersecurity and Infrastructure Security Agency ( CISA ) announced today that attackers who use one of several actively exploited vulnerabilities may be able to maintain root persistence despite performing factory resets.
Additionally, they are able to evade detection by Ivanti’s internal and external integrity checker tools ( ICT) on Ivanti Connect Secure and Policy Secure gateways that have been compromised by exploits like CVE 2024 21887 and CVE 2024 21893.
The four vulnerabilities can be exploited for arbitrary command execution, server-side request forgery, and authentication bypass, and command injection. Their severity ratings range from high to critical.
While looking into numerous hacking incidents involving hacked Ivanti appliances, CISA determined that the Ivanti ICT failed to find compromise. According to Ivanti’s ICT, this occurred because web shells found on systems had no file mismatches.
Additionally, forensic analysis revealed that the attackers used time-stamping, overwriting, and re-mounting the runtime partition to restore the compromised appliance to a” clean state” to cover their tracks.
This demonstrates that, in contrast to previous compromises, ICT scans can give the impression that the device is free of any compromise, according to CISA. In an effort to fix issues with their previous scanner, Ivanti has now released an updated external integrity checker tool.
Additionally, the U.S. cybersecurity agency could independently verify in a test lab that compromise requires more than Ivanti’s ICT because threat actors may have root-level persistence between factory resets.
CISA warned on Thursday that Ivanti’s internal and previous external ICT failed to detect compromise during a number of incident response engagements related to this activity.
A cyber threat actor may be able to gain root-level persistence despite issuing factory resets, according to CISA’s independent research in a lab setting.
CISA does, however, give federal agencies advice on how to proceed after Ivanti VPN appliances on their networks exhibit any signs of compromise.
The authoring organizations advise network defenders to assume that user and service account credentials stored in affected Ivanti VPN appliances are likely to be compromised, ( 2 ) conduct network searches using IOCs, ( 3 ) run Ivanti’s most recent external ICT, and ( 4 ) use available patching advice provided by Ivanti as version updates become available. Organizations should collect, examine, and use the incident response recommendations in this advisory if a potential compromise is discovered. — CISA  
CISA:” Take into account the significant risk”
In response to CISA’s advisory, Ivanti stated today that remote attackers who attempted to use the method CISA discovered to gain root persistence on an Ivanti device would lose access to the Ivanti Connect Secure appliance.
According to Ivanti ,” Ivanti and our security partners are not aware of any instances of successful threat actor persistence following the implementation of the security updates and factory resets ( hardware ) or new builds (virtual ) recommended by Ivanti.”
CISA advised all Ivanti customers today to take into account the significant risk of adversary access to and persistence on Ivanti Connect Secure and Ivanti Policy Secure gateways when deciding whether to continue operating these devices in an enterprise environment [CISA’s emphasis].
In other words, even after cleaning and performing a factory reset, CISA warns that using previously compromised Ivanti Connect Secure and Ivanti Policy Secure devices may still be unsafe.
CISA ordered all federal agencies to disconnect all Ivanti Connect Secure and Ivanti Policy Secure instances from their networks within 48 hours on February 1st in response to the” substantial threat” and increased risk of security breaches posed by hacked Ivanti VPN appliances.
To be able to restore the isolated devices back online, the agencies were required to export configurations,  , factory reset them, rebuild them using patched software releases from Ivanti, reimport the backed-up configurations, and revoke all connected or exposed certificates, keys, and passwords.
Federal agencies were instructed to assume that all linked domain accounts had been compromised, disable joined/registered devices ( in cloud environments ), or perform a double password reset for all accounts, and revoke Kerberos tickers and cloud tokens ( in hybrid setups ) when they discovered compromised Ivanti products on their networks.
Nation-state actors have used some of the security flaws identified by CISA in today’s advisory as zero days before being leveraged by a wide range of threat actors to remove multiple custom malware strains.
In 2021, suspected Chinese threat groups used another Connect Secure zero-day, known as CVE- 2021- 22893, to breach dozens of government, defense, and financial institutions across the United States and Europe.
Update: Updated on February 29, 19:57 EST: Clarified the advisory’s use of Ivanti Connect Secure and Ivanti Policy Secure VPN appliances.