CISA says crooks used Ivanti bugs to snoop around high-risk chemical facilities

Crafty crims broke in but encryption stopped any nastiness

US cybersecurity agency CISA is urging high-risk chemical facilities to secure their online accounts after someone broke into its Chemical Security Assessment Tool (CSAT) portal.

CSAT is used by industry facilities that house chemicals of interest, of which there are more than 300, in quantities at or above a certain threshold. These chemicals could be dangerous if they fell into the wrong hands, and could be used for things like explosives and weapons.

Essentially, it's used to determine which facilities are deemed high risk under Chemical Facility Anti-Terrorism Standards regulations.

In normal circumstances, only facility members who have passed the Chemical-terrorism Vulnerability Information training and certification are allowed to access the portal. 

However, criminals with the knowledge to exploit vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways might have been able to bypass the training altogether in January.

CISA didn't explicitly name the vulnerabilities exploited, but pointed to a February advisory that listed CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 as potentially the main culprits here.

All three were added to CISA's known exploited vulnerabilities (KEV) catalog in January and given an unusually tight 48-hour deadline for patching, illustrating the perceived severity in the upper echelons of government.

"On January 26, CISA identified potentially malicious activity affecting the CSAT Ivanti Connect Secure appliance," the cyber agency said in a statement. "During the investigation, we identified that a malicious actor installed an advanced webshell on the Ivanti device. This type of webshell can be used to execute malicious commands or write files to the underlying system.

"Our analysis further identified that a malicious actor accessed the webshell several times over a two-day period. Importantly, our investigation did not identify adversarial access beyond the Ivanti device nor data exfiltration from the CSAT environment."

Responsibility for the breach has not been officially assigned, but when we took a look at the wave of exploits using these vulnerabilities earlier in the year, we found that Chinese state-sponsored groups may have backdoored more than 1,700 devices using them.

As for what those who broke into the CSAT were up to, CISA said there's no evidence to suggest any data was stolen.

It listed a number of concerning data types that were potentially accessed to some degree, but said in a letter [PDF] to affected individuals that all of the data was encrypted using AES-256 and that the encryption keys weren't reachable with the level of access the attackers had.

Among the exposed data were Top-Screen surveys, which are online questionnaires used by chemical facilities to declare what chemicals of interest they possess, and the details submitted are used to designate how much of a security risk that facility poses to the US.

Unencrypted access to this information would have given onlookers details about what chemicals are stored where – and in what quantities.

Couple this with the potential unauthorized access to security vulnerability assessments that are submitted by the facility as well, which include details of its security posture and exposure to vulnerabilities, and that would have been a recipe for substantial danger.

Encrypted site security plans may also have been accessed, CISA said, which would have exposed the weak points of a facility's physical security.

Submissions made through the Personnel Surety Program could have been accessed by attackers too if they weren't properly secured.

These would have exposed the personal details of all facility staffers who had access to the chemicals of interest as well as their passport number, Global Entry ID number, and their TWIC card number.

Finally, CSAT user accounts may also have been exposed, which means names, titles, business addresses, and business phone numbers could have been accessed.

"Following the reporting requirements under the Federal Information Security Modernization Act (FISMA), CISA notified participants in the Chemical Facility Anti-Terrorism Standards (CFATS) program about the intrusion and the potentially impacted information," CISA said.

Even though there's no evidence to suggest any material mischief was managed as a result of the intrusion, potentially affected facilities and individuals were notified "out of an abundance of caution."

As for actionable advice, CISA just said those who have CSAT accounts should think about rotating their passwords for any and all accounts they may have, including business and personal ones without any ties to the US government, that used the same password. Just in case they get caught up in password-spraying attacks down the line.

Other than that, it was just another reminder to patch the Ivanti bugs that ultimately facilitated the intrusion at CISA's CSAT.

Anyone who was vetted under the Personnel Surety Program between December 2015 and July 2023 can soon apply for identity protection – CISA is just sorting those services out now and they will be made available soon.

"The Department of Homeland Security performed a risk-based assessment as to which individuals may face adverse consequences if worst-case circumstances were realized," CISA said.

"In this assessment, it was determined that individuals vetted under the CFATS Personnel Surety Program between December 2015 and July 2023 were the only population that faced this risk due to the information that was potentially exposed." ®

More about


Send us news

Other stories you might like