www.darkreading.com Open in urlscan Pro
2606:4700::6812:6b2f  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Dark Reading is part of the Informa Tech Division of Informa PLC
Informa PLC|ABOUT US|INVESTOR RELATIONS|TALENT
This site is operated by a business or businesses owned by Informa PLC and all
copyright resides with them. Informa PLC's registered office is 5 Howick Place,
London SW1P 1WG. Registered in England and Wales and Scotlan. Number 8860726.

Black Hat NewsOmdia Cybersecurity

Newsletter Sign-Up

Newsletter Sign-Up

Cybersecurity Topics

RELATED TOPICS

 * Application Security
 * Cybersecurity Careers
 * Cloud Security
 * Cyber Risk
 * Cyberattacks & Data Breaches
 * Cybersecurity Analytics
 * Cybersecurity Operations
 * Data Privacy
 * Endpoint Security
 * ICS/OT Security

 * Identity & Access Mgmt Security
 * Insider Threats
 * IoT
 * Mobile Security
 * Perimeter
 * Physical Security
 * Remote Workforce
 * Threat Intelligence
 * Vulnerabilities & Threats


World

RELATED TOPICS

 * DR Global

 * Middle East & Africa

See All
The Edge
DR Technology
Events

RELATED TOPICS

 * Upcoming Events

 * Webinars

SEE ALL
Resources

RELATED TOPICS

 * Library
 * Newsletters
 * Reports
 * Videos
 * Webinars
 * Whitepapers

 * 
 * 
 * 
 * 
 * Partner Perspectives:
 * > Microsoft

SEE ALL


Sponsored By

 * Сloud Security
 * Endpoint Security
 * Perimeter
 * Vulnerabilities & Threats


IVANTI GETS POOR MARKS FOR CYBER INCIDENT RESPONSE

Cascading critical CVEs, cyberattacks, and delayed patching are plaguing Ivanti
VPNs, and forcing cybersecurity teams to scramble for solutions. Researchers are
unimpressed.

Becky Bracken, Editor, Dark Reading

February 13, 2024

5 Min Read
Source: Yee Xin Tan via Alamy Stock Photo


Editor's note: CISA clarified its guidance regarding Ivanti VPN appliances to
explain they may be reconnected to government networks following the completion
of necessary mitigations. This story has been updated to reflect CISA's Feb. 9
supplemental advisory on Ivanti products.

Here's what's clear about the current cybersecurity state of Ivanti's VPN
appliances — they have been widely vulnerable to cyberattack, and threat actors
are onto the possibilities. It's up to enterprise cyber teams to decide what
comes next.



So far, Ivanti has disclosed five VPN flaws in 2024, most exploited as zero-days
— with two of them publicly announced weeks before patches became available.
Some critics, like cybersecurity researcher Jake Williams, see the glut of
Ivanti vulnerabilities, and the company's slow incident response, as an
existential threat to the business.

Williams blames Ivanti's current problems on years-long neglect of secure coding
and security testing. To recover, Ivanti would have to both overcome that
technical debt, according to Williams, while somehow building back trust with
their customers. It's a task Williams adds he's dubious Ivanti will be able to
pull off.



"I don't see how Ivanti survives as an enterprise firewall brand," Williams
tells Dark Reading, a sentiment he has repeated widely on social media.

A more generous view of the recent spate of zero-day disclosures is that it's a
positive sign Ivanti is taking a long, hard look at its cybersecurity.

"Ivanti is digging deep into its own products in order to find, fix, and
disclose vulnerabilities, and deserves some credit for that," John Gallagher,
vice president of Viakoo Labs says.



Asked for comment, Ivanti referred Dark Reading to its Feb. 8 blog post
regarding its most recent disclosure.


IVANTI'S WOES FALL ON CYBER TEAMS

Ultimately, enterprise teams will have to choose. Cyber teams can following
CISA's advice and disconnect Ivanti VPN appliances and update before they are
reconnected. Or, while they're already offline for patching, they can replace
Ivanti appliances altogether. They also have to explain the decision to
higher-ups.

Patching is a reasonable response, but Ivanti's patching schedule was delayed
for the aforementioned pair of zero-day vulnerabilities disclosed on Jan. 10
(CVE-2024-21887 and CVE-2023-46805). These ended up being under active exploit
without a patch for 20 days before receiving patches on Jan. 30. But they came
with more bad news: The Ivanti update also included fixes for two additional
previously undisclosed bugs (CVE-2024-21888 and CVE-2024-21893), the latter of
which had also already been under active exploitation in the wild.



That was enough for CISA to issue a Feb. 1 mandate for federal agencies to
disconnect Ivanti products from their systems. CISA issued a clarification to
the directive on Feb. 9 that Ivanti VPN appliances may be reconnected to
government networks once they are sufficiently patched, and in some cases, reset
to factory settings.

A fifth Ivanti vulnerability was disclosed on Feb. 9, tracked as CVE-2024-22024.
Eventually, Ivanti credited watchTowr with the find, though at first it claimed
internal teams found the bug, sowing some confusion in bug-hunter ranks.

Further undermining confidence in Ivanti security practices is the fact that the
initial Jan. 10 bugs were originally due to get patches on Jan. 22 — but Ivanti
pushed the release date back to the 30th.

"These devices need their software engineered with the same kind of seriousness
that this threat requires," says John Bambenek, president at Bambenek
Consulting. "When you publish zero-day patch schedules, you need to hit those
targets, especially in a situation like this."



Meanwhile Ivanti's persistent flaws have attracted crowds of cybercriminals,
including Chinese state-sponsored threat actors. And cyber researcher
"Shadowserver" Pitor Kijewski confirmed to Dark Reading that there are at least
47 IPs to date attempting to exploit the most recently disclosed Ivanti VPN bug.

There is some confusion here too: Ivanti issued the following statement to Dark
Reading in response to the Shadowserver report: "We have no indication that
CVE-2024-22024 has been exploited in the wild."

Viakoo's Gallagher gives Ivanti poor marks for its incident response so far.

"Ivanti’s recovery will need to address both the technical aspects of these
attacks, and the trust/reputational damage this has caused them," he says. "On
both fronts they have stumbled badly."


IVANTI VOWS TO FIX FLAWS, CUSTOMERS CAUTIOUS

In a Feb. 8 advisory about the most recent Connect Secure and Policy Secure
Gateways bugs, Ivanti assured customers it is now doing a full audit of its
code.

"Our team has been working around the clock to aggressively review all code and
is singularly focused on bringing full resolution to the issues affecting Ivanti
Connect Secure (formerly Pulse Connect Secure), Ivanti Policy Secure and ZTA
gateways," the company said.

As Ivanti's cybersecurity troubles mount, the lesson for cyber teams is that
reactive patching alone of edge devices isn't sufficient, according to Patrick
Tiquet, vice president of security and architecture at Keeper Security.

"It is imperative that vendors prioritize identifying and resolving issues
within their solutions," Tiquet says. "But organizations should regularly engage
in pen-testing of their own products and services to proactively find
vulnerabilities before someone else does."

Only time will tell if Ivanti will be able to woo its customers back who've
already left, and reassure the ones who have stuck around, but in the meantime,
Bambanek advises enterprise security teams remain cautious.



"If I were a CISO, I'd take a pass on Ivanti for a few years until they’ve
proven themselves again," he adds.




ABOUT THE AUTHOR(S)

Becky Bracken, Editor, Dark Reading




See more from Becky Bracken, Editor, Dark Reading
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities,
data breach information, and emerging trends. Delivered daily or weekly right to
your email inbox.

Subscribe

You May Also Like

--------------------------------------------------------------------------------

Сloud Security

What the Bionic Acquisition Can Bring to CrowdStrike
Сloud Security

Kaspersky Launches Specialized Security Solution for Containerized Environments
Сloud Security

Microsoft Set to Retire Grunge-Era VBScript, to Cybercrime's Chagrin
Сloud Security

Internet-Wide Zero-Day Bug Fuels Largest-Ever DDoS Event
More Insights
Webinars

 * DevSecOps: The Smart Way to Shift Left
   
   Feb 14, 2024

 * Making Sense of Security Operations Data
   
   Feb 21, 2024

 * Unbiased Testing. Unbeatable Results
   
   Feb 22, 2024

 * Your Everywhere Security Guide: 4 Steps to Stop Cyberattacks
   
   Feb 27, 2024

 * API Security: Protecting Your Application's Attack Surface
   
   Feb 29, 2024

More Webinars
Events

 * Cybersecurity's Hottest New Technologies - Dark Reading March 21 Event
   
   Mar 21, 2024

 * Black Hat Asia - April 16-19 - Learn More
   
   Apr 16, 2024

 * Black Hat Spring Trainings - March 12-15 - Learn More
   
   Mar 12, 2024

More Events



EDITOR'S CHOICE

Microsoft Azure logo on computer screen
Сloud Security
Ongoing Azure Compromises Target Senior Execs, Microsoft 365 AppsOngoing Azure
Compromises Target Senior Execs, Microsoft 365 Apps
byNate Nelson, Contributing Writer
Feb 12, 2024
2 Min Read

Female Cybersecurity Analyst or Manager in large Cyber Security Operations
Center SOC handling Threats
Cybersecurity Operations
CISO Corner: DoD Regs, Neurodiverse Talent & Tel Aviv's Light RailCISO Corner:
DoD Regs, Neurodiverse Talent & Tel Aviv's Light Rail
byTara Seals, Managing Editor, News, Dark Reading
Feb 9, 2024
9 Min Read
SSL VPN security concept
Сloud Security
Fortinet, Ivanti Keep Customers Busy With Yet More Critical BugsFortinet, Ivanti
Keep Customers Busy With Yet More Critical Bugs
byJai Vijayan, Contributing Writer
Feb 12, 2024
5 Min Read

QR code security
Endpoint Security
QR Code 'Quishing' Attacks on Execs Surge, Evading Email SecurityQR Code
'Quishing' Attacks on Execs Surge, Evading Email Security
byRobert Lemos, Contributing Writer
Feb 8, 2024
5 Min Read
Reports

 * Zero-Trust Adoption Driven by Data Protection

 * How Enterprises Assess Their Cyber-Risk

 * Passwords Are Passe: Next Gen Authentication Addresses Today's Threats

 * The State of Supply Chain Threats

 * How to Deploy Zero Trust for Remote Workforce Security

More Reports
White Papers

 * Strengthen Microsoft Defender with MDR

 * Incident Response Planning Guide

 * 2023 Gartner Magic Quadrant for Single-Vendor SASE

 * 2023 Work-from-Anywhere Global Study

 * Global Perspectives on Threat Intelligence

More Whitepapers
Events

 * Cybersecurity's Hottest New Technologies - Dark Reading March 21 Event
   
   Mar 21, 2024

 * Black Hat Asia - April 16-19 - Learn More
   
   Apr 16, 2024

 * Black Hat Spring Trainings - March 12-15 - Learn More
   
   Mar 12, 2024

More Events





DISCOVER MORE WITH INFORMA TECH

Black HatOmdia

WORKING WITH US

About UsAdvertiseReprints

JOIN US


Newsletter Sign-Up

FOLLOW US



Copyright © 2024 Informa PLC Informa UK Limited is a company registered in
England and Wales with company number 1072954 whose registered office is 5
Howick Place, London, SW1P 1WG.

Home|Cookie Policy|Privacy|Terms of Use

Cookies Button


ABOUT COOKIES ON THIS SITE

We and our partners use cookies to enhance your website experience, learn how
our site is used, offer personalised features, measure the effectiveness of our
services, and tailor content and ads to your interests while you navigate on the
web or interact with us across devices. You can choose to accept all of these
cookies or only essential cookies. To learn more or manage your preferences,
click “Settings”. For further information about the data we collect from you,
please see our Privacy Policy

Accept All
Settings



COOKIE PREFERENCE CENTER

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All


MANAGE CONSENT PREFERENCES

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms.    You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.

Cookies Details‎

PERFORMANCE COOKIES

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.    All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

Cookies Details‎

FUNCTIONAL COOKIES

Functional Cookies

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages.    If you do not allow these cookies then
some or all of these services may not function properly.

Cookies Details‎

TARGETING COOKIES

Targeting Cookies

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites.    They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

Cookies Details‎
Back Button


BACK



Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

 * 
   
   View Cookies
   
    * Name
      cookie name

Confirm My Choices