Cybersecurity Briefing — January 22, 2024
CISA, FBI, NSA, and Five Eyes partners used joint advisory AA24-022A to mandate emergency hunts on Ivanti VPN appliances, outlining exploitation tradecraft, detection tooling, and governance actions for agencies and critical infrastructure.
Executive briefing: On , the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and cybersecurity authorities from Australia, Canada, and New Zealand released joint advisory AA24-022A. The bulletin warns that advanced persistent threat actors are exploiting Ivanti Connect Secure and Ivanti Policy Secure zero-days—CVE-2023-46805 and CVE-2024-21887—to gain persistent access to enterprise networks. Beyond reiterating Emergency Directive 24-01 for federal agencies, the advisory furnishes detection scripts, forensic artefacts, and governance recommendations for critical infrastructure operators, managed service providers, and any enterprise reliant on Ivanti remote-access gateways.
Threat activity summary. The advisory details how attackers combine the authentication bypass flaw (CVE-2023-46805) with a command-injection weakness (CVE-2024-21887) to execute arbitrary commands on Ivanti appliances. Once inside, actors deploy custom webshells such as GLASSTOP and LIGHTWIRE, add malicious cron jobs, and modify legitimate scripts (e.g., dsstart.sh) to ensure persistence through reboots. Some campaigns load a lightweight SSH server, DROPBEAR, to maintain remote control. Intelligence services have also observed data exfiltration of configuration files containing LDAP, RADIUS, and SAML secrets, enabling lateral movement into identity systems and cloud services. The advisory emphasises that these techniques are being leveraged by state-sponsored actors, raising geopolitical risk and the likelihood of follow-on supply chain compromises.
Logging blind spots and forensic expectations. Ivanti appliances historically capture limited logging by default, meaning exploitation evidence may not appear in syslog or RADIUS audit trails. AA24-022A instructs defenders to enable enhanced logging, collect /var/log/auth.log and /var/log/lastlog files, and capture verbose web logs from /var/log/httpd/error_log. Analysts should also query the appliance database using sqlite3 to inspect session tables for anomalous source IPs and disabled logging entries. The advisory provides YARA rules for identifying malicious binaries and guidance on using Ivanti’s Integrity Checker Tool to compare system files against known-good baselines. Organisations must preserve forensic artefacts—including disk images and integrity-check outputs—for potential legal discovery and regulator review.
Immediate mitigation checklist. All Ivanti customers are directed to apply the mitigation XML or hotfix packages released by Ivanti, rotate administrative and user credentials, and block external access to management interfaces until appliances are verified as clean. The advisory stresses that the mitigation XML is not a permanent fix; agencies should plan to apply forthcoming patches and treat devices as compromised until proven otherwise. Operators must hunt for persistence mechanisms daily, monitor for unusual outbound connections, and consider isolating VPN appliances behind dedicated firewall segments where traffic can be inspected. These steps align with the NIST Cybersecurity Framework’s Detect and Respond functions, requiring tight coordination between network, identity, and security teams.
Detection engineering guidance. Joint authoring agencies published sample Splunk queries, Zeek signatures, and PowerShell commands to search for evidence of compromise. Example analytics include spotting outbound connections to known adversary infrastructure, detecting unsanctioned modifications to login.cgi, and identifying unexpected use of the administrative API endpoints. The advisory recommends ingesting packet capture data into network detection platforms, instrumenting egress controls to flag uploads of sess_id files, and scanning for suspicious Python libraries dropped into /root/.local/lib. Security teams should adapt these analytics to their tooling stacks (ELK, Chronicle, Microsoft Sentinel) and memorialise the resulting detections in governance documentation so they form part of ongoing monitoring programmes.
Governance and reporting obligations. AA24-022A reiterates that US federal civilian agencies must comply with Emergency Directive 24-01, while critical infrastructure operators covered by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) should assess whether exploitation triggers 72-hour reporting requirements once the final rule takes effect. Public companies subject to the US Securities and Exchange Commission’s cyber disclosure rule need to evaluate materiality based on potential disruption to remote workforces or exposure of regulated data. The advisory also reminds contractors supporting the Department of Defense, intelligence community, or UK Ministry of Defence that contract clauses may mandate immediate notification and cooperative forensics, meaning governance teams must synchronise legal, procurement, and cybersecurity functions.
Third-party and supply chain considerations. Managed security service providers (MSSPs), telecom carriers, and cloud access brokers often host Ivanti appliances on behalf of customers. The advisory urges organisations to obtain written attestations from these partners confirming that mitigation steps are complete, integrity checks are running, and downstream identities have been reviewed for compromise. Procurement teams should refresh vendor questionnaires to include Ivanti-specific controls, request evidence of hardening (e.g., disabling unnecessary local accounts, enforcing certificate-based admin access), and confirm that incident response playbooks account for coordinated notification obligations. These activities support compliance with frameworks like ISO/IEC 27036 (supplier relationships) and the European Union’s NIS2 Directive, which emphasises supply chain governance.
Strategic remediation roadmap. Beyond immediate containment, enterprises should develop a phased plan to reduce long-term dependency on legacy VPN gateways. Phase 1 involves deploying network segmentation and micro-perimeters around critical Ivanti appliances, integrating them with Security Orchestration, Automation, and Response (SOAR) platforms for rapid containment, and validating backups of configurations. Phase 2 introduces zero trust network access (ZTNA) pilots that provide application-level access based on identity, device posture, and continuous risk signals, reducing exposure to perimeter exploits. Phase 3 focuses on decommissioning or repurposing residual VPN infrastructure, updating disaster recovery plans, and ensuring workforce change management addresses authentication and authorization changes. Documenting this roadmap in risk registers and board updates demonstrates proactive governance.
Cross-sector regulatory alignment. Financial institutions supervised by the Federal Financial Institutions Examination Council (FFIEC) should map Ivanti response actions to the Architecture, Infrastructure, and Operations booklet expectations for patch management and remote access. Healthcare entities covered by HIPAA must review whether compromised appliances facilitated access to protected health information, potentially triggering breach notification obligations. Utilities bound by the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection standards need to confirm that Electronic Access Control or Monitoring Systems (EACMS) using Ivanti have compensating measures in place. The advisory serves as a unifying reference for aligning these sector-specific mandates with contemporary threat intelligence.
Metrics, assurance, and board reporting. Governance teams should quantify exposure by tracking the number of Ivanti appliances in inventory, percentage with mitigations applied, time-to-detect suspicious activity after integrity checks run, and count of downstream systems requiring credential resets. Boards expect to see a narrative connecting these metrics to enterprise risk appetite statements, including how the organisation balances operational disruption against the risk of sustained compromise. Internal audit or third-party assessors should plan follow-up reviews that validate the completeness of forensic artefact retention, evaluate whether detection analytics remain enabled, and confirm that tabletop exercises incorporate the advisory’s threat scenarios.
AA24-022A exemplifies the collaborative posture of modern cyber defence: intelligence agencies release detailed tradecraft so organisations can act swiftly, but they expect disciplined governance to translate guidance into durable controls. Enterprises that pair the advisory’s technical artefacts with executive accountability, third-party oversight, and zero-trust transformation will emerge more resilient—not only to the current Ivanti campaign but to future vulnerabilities targeting remote-access infrastructure.
Continue in the Cybersecurity pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Cybersecurity Operations Playbook — Zeph Tech
Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.