After spending months grappling with a string of gateway appliance security failures, Ivanti has vowed to reengineer its processes to harden its products against increasingly persistent attackers.
The promise to bolster its security practices was delivered by the company’s CEO, Jeff Abbott, in an April 3 post and video message addressed to Ivanti’s customers and partners.
Exploitation of the vulnerabilities in its appliances has impacted a large number of Ivanti customers, including U.S. government agencies, prompting an order in February for some devices to be disconnected from federal networks.
“We will use this opportunity to begin a new era at Ivanti. We have challenged ourselves to look critically at every phase of our processes, and every product, to ensure the highest level of protection for our customers,” Abbott said.
“We have already begun applying learnings from recent incidents to make immediate improvements to our own engineering and security practices.”
Ivanti's months-long bug infestation
Ivanti’s spell of security dramas began in January when it disclosed two zero-day vulnerabilities in its Connect Secure and Policy Secure gateway appliances that were actively exploited in the wild by multiple threat actors, including at least one China-linked cyberespionage gang.
Three weeks later, two additional bugs impacting the same products were discovered. The severity of the situation prompted the Cybersecurity and Infrastructure Security Agency (CISA) to order U.S. federal civilian agencies to disconnect affected devices from their networks.
In February, a fifth vulnerability was revealed and researchers uncovered more evidence that the impacted appliances were being attacked as part of a concerted campaign by Chinese nation-state threat actors.
Last month, it emerged CISA was among the victims of the cyberespionage campaign. The agency said it took two of its systems offline after they were breached through exploitation of the Ivanti bugs a month earlier.
The breach of one of the affected CISA systems, the Chemical Security Assessment Tool, potentially affected more than 100,000 individuals.
Ivanti disclosed and patched this week four more vulnerabilities affecting Connect Secure and Policy Secure appliances. It said it was not aware of the new bugs being exploited to compromise any of its customers.
Researchers at Volexity previously noted that appliances such as Ivanti’s gateways are a natural target of attackers because they “often sit on critical parts of the network, cannot run traditional security software, and typically sit at the perfect place for an attacker to operate.”
How Ivanti plans to improve its security posture
The company was “committed to a broad shift that fundamentally transforms the Ivanti security operating model,” Abbott said.
One of the elements of the transformation would be a revamp of the company’s core engineering, security and vulnerability management practices “to ensure our current products are secure, and that customers have the resources needed to deploy them securely for their organization,” he said.
Ivanti would adopt a secure by design methodology “with security considered as a key factor at every stage of the software development lifecycle.”
The company planned to set up a customer advisory board to provide input on product development, feature prioritization, and security concerns.
Abbott said Ivanti’s recent “humbling” experiences at the center of a storm of attacks underscored the challenges the entire IT industry faced from cybercriminals.
“We’re battling an increasingly complex and aggressive landscape of threat actors. In many cases, these actors are well resourced, with nation state level capabilities,” he said. “This environment has challenged all of us. It demands that we do more, earlier and more often, to ensure our products are, and remain, secure so that we can meet our commitments to our customers.”
