Security News > 2024 > February > CISA cautions against using hacked Ivanti VPN gateways even after factory resets
The U.S. Cybersecurity and Infrastructure Security Agency revealed today that attackers who hack Ivanti VPN appliances using one of multiple actively exploited vulnerabilities may be able to maintain root persistence even after performing factory resets.
The authoring organizations encourage network defenders to assume that user and service account credentials stored within the affected Ivanti VPN appliances are likely compromised, hunt for malicious activity on their networks using the detection methods and indicators of compromise within this advisory, run Ivanti's most recent external ICT, and apply available patching guidance provided by Ivanti as version updates become available.
CISA. Today, in response to CISA's advisory, Ivanti said that remote attackers attempting to gain root persistence on an Ivanti device using the method CISA found would lose connection to the Ivanti Connect Secure appliance.
Despite the company's assurances, CISA urged all Ivanti customers today to "Consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment".
In other words, CISA warns it may still not be safe to use previously compromised Ivanti Connect Secure and Ivanti Policy Secure devices even after cleaning and performing a factory reset.
On February 1st, in response to the "Substantial threat" and increased risk of security breaches posed by hacked Ivanti VPN appliances, CISA ordered all federal agencies to disconnect all Ivanti Connect Secure and Ivanti Policy Secure instances from their networks within 48 hours,.