The Cybersecurity and Infrastructure Security Agency urged enterprises to weigh the risks of continued use of previously compromised Ivanti VPN appliances even after performing factory resets, as threat actors appear capable of maintaining root persistence and even evading detection, according to BleepingComputer.
CISA reported that the internal and external Integrity Checker Tools provided by Ivanti were unable to detect compromise via recently discovered exploits on Ivanti Connect Secure and Policy Secure gateways across multiple breach incidents due to a lack of file mismatches in web shells. Attackers also successfully concealed their activities through techniques such as overwriting or time-stomping files and remounting the runtime partition to recreate a "clean slate" status in the compromised appliance. Independent lab investigations by CISA also concluded that "a cyber threat actor may be able to gain root-level persistence despite issuing factory resets." Ivanti said it has patched the uncovered issues in an update to the external Integrity Checker Tool and noted that remote attackers would lose their connection to the Ivanti Connect Secure appliance if they were to perform the method CISA found to enable root persistence.
