The steps include:
- Identifying any additional systems connected or recently connected to the affected Ivanti device
- Monitoring the authentication or identity management services that could be exposed
- Isolating the systems from any enterprise resources to the greatest degree possible
- Continuing to audit privilege-level access accounts.
The directive went on to say that before agencies can bring their Ivanti products back online, they must follow a long series of steps that include factory-resetting their system, rebuilding them following Ivanti’s previously issued instructions, and installing the Ivanti patches.
“Agencies running the affected products must assume domain accounts associated with the affected products have been compromised,” Wednesday’s directive said. Officials went on to mandate that by March 1, agencies must have reset passwords “twice” for on-premises accounts, revoke Kerberos-enabled authentication tickets, and then revoke tokens for cloud accounts in hybrid deployments.
Steven Adair, the president of Volexity, the security firm that discovered the initial two vulnerabilities, said its most recent scans indicate that at least 2,200 customers of the affected products have been compromised to date. He applauded CISA’s Wednesday directive.
“This is effectively the best way to alleviate any concern that a device might still be compromised,” Adair said in an email. “We saw that attackers were actively looking for ways to circumvent detection from the integrity checker tools. With the previous and new vulnerabilities, this course of action around a completely fresh and patched system might be the best way to go for organizations to not have to wonder if their device is actively compromised.”
The directive is binding only on agencies under CISA’s authority. Any user of the vulnerable products, however, should follow the same steps immediately if they haven’t already.
