Updated to include information regarding 29 February advisory from CISA, which includes technical findings observed in CISA’s lab, which have not been seen in the wild or believed to be possible in a live customer environment. CISA and the other government agencies recommend that defenders run Ivanti’s updated external Integrity Checker Tool (ICT), released on 27 February.

As part of our exhaustive investigation into the recent attack against our customers, Ivanti and Mandiant released findings today regarding evolving threat actor tactics, techniques and procedures (TTPs). These findings were identified in the ongoing analysis of the previously disclosed vulnerabilities affecting Ivanti Connect Secure, Policy Secure and ZTA gateways, and include potential persistence techniques that we are monitoring, even though to date they have not been deployed successfully in the wild.  

Importantly, this is not a new CVE, and we and our security and government partners are not aware of any instances of successful threat actor persistence following implementation of security updates and factory resets. However, given the aggressive nature of the attack, we are releasing relevant information to customers so that they can take steps to monitor and further protect themselves against this highly sophisticated threat.

Ivanti is releasing a new enhancement to the external Integrity Checker Tool (ICT), which provides additional visibility into a customer's appliance and all files that are present on the system. The enhanced external ICT will no longer require support to decrypt a customer’s snapshots. When new and/or modified files are found, the external ICT will now provide customers with an unencrypted snapshot for their own review. The guidance for viewing the snapshot contents can be found in this Knowledge Base article (login required) and reference for interpreting snapshots can be found in this article. As a reminder, the ICT is a snapshot in time of files present on the device. It is able to detect changes in these binaries to highlight indicators of compromise. It is an additional layer of security for our customers and is always intended to be used in conjunction with continuous monitoring tools.

Ivanti has also updated its recommendations for virtual appliances in the Knowledge Base article. These new instructions only apply to customers using virtual appliances that did not previously complete a successful factory reset, or deploy a new build, and patch their appliance.

Ivanti recommends that customers take the following actions:

  • For customers who have already completed a successful factory reset and patched their appliance(s), the only action is to continue to run the internal and updated external ICT, along with continuous monitoring which should be updated to reflect these evolving techniques.
  • For customers using virtual appliances that did not complete a factory reset, or deploy a new build, and patch their appliance, Ivanti is now recommending that a new build of Ivanti Connect Secure be deployed, versus executing a factory reset. The reason is that factory resets of virtual appliances have not been consistently successful, and so we have updated the recommended instructions.
  • Again, if you previously followed Ivanti’s instructions and had a clean ICT scan, you do not need to complete any additional factory resets or deploy a new build (for virtual appliances). 

Customers can access the most up-to-date remediation information on this blog and the Knowledge Base Article, FAQ blog and Recovery Knowledge Base article. We will continue to actively update these documents as new information is available.

If a customer experiences any issues while remediating the previously disclosed vulnerabilities, our support team remains available to assist.

Ivanti customers should review the blog released by Mandiant outlining additional TTPs and observations regarding the unsuccessful attempt to achieve persistence through factory reset that they observed.

Update: CISA, and other government agencies, have released a joint advisory on 29 February compiling prior research, including the findings released by Ivanti and Mandiant on 27 February and a potential persistence technique developed in CISA’s technical lab. It is important to note that this lab-based finding has not been observed by CISA, Ivanti or Mandiant in the wild, and based on the evidence presented and further analysis by our team, we believe that if a threat actor were to attempt this remotely they would lose connection to Ivanti Connect Secure, and not gain persistence in a live customer environment. Furthermore, customers that patched and executed a successful factory reset (hardware) or deployed a new build (virtual) would not be at risk from the activity outlined in CISA’s report.
 
Ivanti, Mandiant and CISA recommended using the updated external ICT to help detect known attack vectors and detect additional files or changed files. As Ivanti has emphasized, this is a useful and informative security tool in your arsenal, to complement other security and monitoring tools. Our recommendation remains that you should use the updated ICT in concert with continuous monitoring.

We continue to intensely review risks and evolving threat actor techniques. When new findings are made, we will work quickly to provide information in the best interests of our customers, and release fixes or enhance our ICT if it is appropriate to do so. We remain actively engaged with our security and government partners to this end.  

We take our customers’ security very seriously and are committed to applying enhanced security processes and protocols so that our products remain secure in the face of the increasing aggressive threats facing our customers and their industries. 

Key FAQs

Is there any action for customers to take following the 27 February and 29 February advisories?  

For customers who have already completed a successful factory reset (hardware) or deployed a new build (virtual) and patched their appliance(s), the only action is to continue to follow Ivanti and Mandiant’s guidance to run the internal and updated external ICT, along with continuous monitoring which should be updated to reflect these evolving techniques. 

Ivanti and our security partners are not aware of any instances of successful threat actor persistence following implementation of the security updates and factory resets (hardware)/ new build (virtual) recommended by Ivanti.  

For customers that have not yet patched, they should immediately follow the instructions provided in the Knowledge Base Article.

Again, if you previously followed Ivanti’s instructions and continue to have a clean ICT scan, you do not need to complete any additional factory resets or deploy a new build (for virtual appliances).

Is the Integrity Checker Tool an effective tool for customers? 

Yes, Ivanti, Mandiant and CISA recommended using the updated external ICT which helps detect known attack vectors and detect changed files and additional files and should be used in conjunction with continuous monitoring. The ICT is effective at determining if anything malicious was left behind based on known attack vectors.

As Ivanti has emphasized, the ICT is an important and informative security tool in your arsenal, to be leveraged alongside other tools. Continuous monitoring remains important in detecting potential threats, as the ICT is intentionally designed to be a snapshot of the current state of the appliance and cannot necessarily detect threat actor activity if the appliance has been returned to a clean state. Other security tools should be used to monitor for changes made between scans as well as malware and other Indicators of Compromise (IoCs). 

The ICT is designed to focus specifically on known threat activity that is being deployed by threat actors in the wild. This maximizes meaningful results for customers and minimizes false positives, and has been validated by Mandiant in their blog as an effective tool. Other standard security monitoring tools are designed to detect other activity.

Is there a new vulnerability or compromise that was not previously disclosed?  

No, there is not a new CVE. Ivanti, and our security and government partners are not aware of any instances of successful threat actor persistence following implementation of security updates and factory resets. 

The new activity described by Ivanti, Mandiant and CISA relates to limited attempts observed to maintain persistence through factory reset that were unsuccessful, and a potential lab-based technique developed by CISA that they believe could be used to attempt persistence. Neither of these have been used successfully in the wild.   

It is important to note that, based on the evidence presented and further analysis by our team, we believe that the technique CISA identified in its technical lab would not enable a threat actor to successfully achieve undetected persistence in a live customer environment. 

Why did Ivanti conclude that the technique CISA identified in its technical lab could not enable successful persistence in a live customer environment?

Ivanti and its outside security experts assessed CISA’s technical findings and determined that if it were deployed on a real-life unpatched customer environment, the connection would be lost to Ivanti Connect Secure, so it could not be performed remotely. We therefore believe that this risk of persistence is not valid in an actual customer deployment. 

If persistence was unsuccessful, why did Ivanti and Mandiant release this information?  

We released relevant information on 27 February regarding evolving threat actor techniques that we are monitoring, so that defenders can take steps to further protect themselves against a highly sophisticated and aggressive attack. Customers can factor this information into their own continuous monitoring, even though to date these techniques have not been deployed successfully in the wild. 

We are committed to providing information and tools to ensure our customers are protected and also remain engaged with our security and government partners to this end. 

Is CISA recommending that Ivanti customers unplug their machines?   

CISA’s has never instructed organizations to permanently take Ivanti systems out of production. CISA’s original directive to federal agencies was misinterpreted by media who only reported on the first step of the instructions. CISA made updates to their directive to correct this, and then subsequently updated again on February 9 to make it absolutely clear that you can turn the product on after patching.  

CISA’s 29 February advisory compiles prior research, as well as a lab-based technique that they believe could be used to attempt persistence and advises customers to be aware of the risks. It is important to note that we do not believe the activity outlined in CISA’s report could be performed remotely.

Why does the Ivanti Connect Secure product have older open-source package versions in it? 

The hardware for the 9.x version of the product does not have enough CPU to run a newer Linux kernel and as such the kernel limitations require the older open-source packages to be used. The product is not vulnerable to these older open-source packages as we have backported security fixes. In the case of the CISA report, the version number is not a real indication of the binary package or if it is vulnerable as backporting the security fixes does not change the version number of the binary package.  

All supported versions of Ivanti Connect Secure are certified by The National Information Assurance Partnership (NIAP) and have been for approximately 20 years. A validation that the products meet security requirements for U.S. national security system procurement.    

The newer 22.x version of Ivanti Connect Secure is built on a new Linux kernel that does require a more powerful CPU and as such we have introduced a new platform, the ISA, which does not have the older versions of open source packages in it and is capable of additional security enhancements.

We officially released an End-of-Life notification for the 9.x hardware and software product in July 2022. We are actively working with our customers to refresh their appliances to 22.x or migrate to the cloud with Ivanti Neurons for Zero Trust Access. 

All code present in Ivanti products, including the 9.x older open source code, is clearly outlined in our attributions and SBOMs, which are available in the product documentation available on ivanti.com.

You can read answers to all of the most commonly asked questions here.