Cybersecurity — Joint advisory

On 22 January 2024, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and cybersecurity authorities from Australia, Canada, and New Zealand released joint advisory AA24-022A. The bulletin warns that advanced persistent threat actors are exploiting Ivanti Connect Secure and Ivanti Policy Secure zero-days—CVE-2023-46805 and CVE-2024-21887—to gain persistent access to enterprise networks. Beyond reiterating Emergency Directive 24-01 for federal agencies, the advisory furnishes detection scripts, forensic artifacts, and governance recommendations for critical infrastructure operators, managed service providers, and any enterprise reliant on Ivanti remote-access gateways.

Threat activity summary. The advisory details how attackers combine the authentication bypass flaw (CVE-2023-46805) with a command-injection weakness (CVE-2024-21887) to execute arbitrary commands on Ivanti appliances. Once inside, actors deploy custom webshells such as GLASSTOP and LIGHTWIRE, add malicious cron jobs, and modify legitimate scripts (for example, dsstart.sh) to ensure persistence through reboots. Some campaigns load a lightweight SSH server, DROPBEAR, to maintain remote control. Intelligence services have also observed data exfiltration of configuration files containing LDAP, RADIUS, and SAML secrets, enabling lateral movement into identity systems and cloud services. The advisory emphasizes that these techniques are being used by state-sponsored actors, raising geopolitical risk and the likelihood of follow-on supply chain compromises.

Logging blind spots and forensic expectations. Ivanti appliances historically capture limited logging by default, meaning exploitation evidence may not appear in syslog or RADIUS audit trails. AA24-022A instructs defenders to enable improved logging, collect /var/log/auth.log and /var/log/lastlog files, and capture verbose web logs from /var/log/httpd/error_log. Analysts should also query the appliance database using sqlite3 to inspect session tables for anomalous source IPs and disabled logging entries. The advisory provides YARA rules for identifying malicious binaries and guidance on using Ivanti’s Integrity Checker Tool to compare system files against known-good baselines. Teams must preserve forensic artifacts—including disk images and integrity-check outputs—for potential legal discovery and regulator review.

Immediate mitigation checklist. All Ivanti customers are directed to apply the mitigation XML or hotfix packages released by Ivanti, rotate administrative and user credentials, and block external access to management interfaces until appliances are verified as clean. The advisory stresses that the mitigation XML is not a permanent fix; agencies should plan to apply forthcoming patches and treat devices as compromised until proven otherwise. Operators must hunt for persistence mechanisms daily, monitor for unusual outbound connections, and consider isolating VPN appliances behind dedicated firewall segments where traffic can be inspected. These steps align with the NIST Cybersecurity Framework’s Detect and Respond functions, requiring tight coordination between network, identity, and security teams.

Detection engineering guidance. Joint authoring agencies published sample Splunk queries, Zeek signatures, and PowerShell commands to search for evidence of compromise. Example analytics include spotting outbound connections to known adversary infrastructure, detecting unsanctioned modifications to login.cgi, and identifying unexpected use of the administrative API endpoints. The advisory recommends ingesting packet capture data into network detection platforms, instrumenting egress controls to flag uploads of sess_id files, and scanning for suspicious Python libraries dropped into /root/.local/lib. Your security team should adapt these analytics to their tooling stacks (ELK, Chronicle, Microsoft Sentinel) and memorialise the resulting detections in governance documentation so they form part of ongoing monitoring programs.

Governance and reporting obligations. AA24-022A reiterates that US federal civilian agencies must comply with Emergency Directive 24-01, while critical infrastructure operators covered by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) should assess whether exploitation triggers 72-hour reporting requirements once the final rule takes effect. Public companies subject to the US Securities and Exchange Commission’s cyber disclosure rule need to evaluate materiality based on potential disruption to remote workforces or exposure of regulated data. The advisory also reminds contractors supporting the Department of Defense, intelligence community, or UK Ministry of defense that contract clauses may mandate immediate notification and cooperative forensics, meaning governance teams must synchronize legal, procurement, and cybersecurity functions.

Third-party and supply chain considerations. Managed security service providers (MSSPs), telecom carriers, and cloud access brokers often host Ivanti appliances on behalf of customers. The advisory urges teams to obtain written attestations from these partners confirming that mitigation steps are complete, integrity checks are running, and downstream identities have been reviewed for compromise. Procurement teams should refresh vendor questionnaires to include Ivanti-specific controls, request evidence of hardening (for example, disabling unnecessary local accounts, enforcing certificate-based admin access), and confirm that incident response playbooks account for coordinated notification obligations. These activities support compliance with frameworks like ISO/IEC 27036 (supplier relationships) and the European Union’s NIS2 Directive, which emphasizes supply chain governance.

Strategic remediation roadmap. Beyond immediate containment, enterprises should develop a phased plan to reduce long-term dependency on legacy VPN gateways. Phase 1 involves deploying network segmentation and micro-perimeters around critical Ivanti appliances, integrating them with Security Orchestration, Automation, and Response (SOAR) platforms for rapid containment, and validating backups of configurations. Phase 2 introduces zero trust network access (ZTNA) pilots that provide application-level access based on identity, device posture, and continuous risk signals, reducing exposure to perimeter exploits. Phase 3 focuses on decommissioning or repurposing residual VPN infrastructure, updating disaster recovery plans, and ensuring workforce change management addresses authentication and authorization changes. Documenting this roadmap in risk registers and board updates shows forward-looking governance.

Cross-sector regulatory alignment. Financial institutions supervised by the Federal Financial Institutions Examination Council (FFIEC) should map Ivanti response actions to the Architecture, Infrastructure, and Operations booklet expectations for patch management and remote access. Healthcare entities covered by HIPAA must review whether compromised appliances helped access to protected health information, potentially triggering breach notification obligations. Utilities bound by the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection standards need to confirm that Electronic Access Control or Monitoring Systems (EACMS) using Ivanti have compensating measures in place. The advisory serves as a unifying reference for aligning these sector-specific mandates with contemporary threat intelligence.

Metrics, assurance, and board reporting. Governance teams should quantify exposure by tracking the number of Ivanti appliances in inventory, percentage with mitigations applied, time-to-detect suspicious activity after integrity checks run, and count of downstream systems requiring credential resets. Boards expect to see a narrative connecting these metrics to enterprise risk appetite statements, including how the organization balances operational disruption against the risk of sustained compromise. Internal audit or third-party assessors should plan follow-up reviews that validate the completeness of forensic artifact retention, evaluate whether detection analytics remain enabled, and confirm that tabletop exercises incorporate the advisory’s threat scenarios.

AA24-022A exemplifies the collaborative posture of modern cyber defense: intelligence agencies release detailed tradecraft so teams can act swiftly, but they expect disciplined governance to translate guidance into durable controls. Enterprises that pair the advisory’s technical artifacts with executive accountability, third-party oversight, and zero-trust transformation will emerge more resilient—not only to the current Ivanti campaign but to future vulnerabilities targeting remote-access infrastructure.

How to implement this

If you are affected, develop setup roadmaps that account for resource constraints, dependencies, and risk priorities. Phased approaches typically provide better outcomes than attempting full changes simultaneously. Early wins build momentum and show value to teams.

Progress monitoring should track setup activities against planned timelines and identify potential issues requiring intervention. Regular reporting keeps teams informed and maintains organizational focus on setup priorities.

Stakeholder management

Effective stakeholder engagement ensures alignment on objectives, expectations, and setup approaches. Communication should be tailored to different audiences, providing appropriate levels of detail for technical and executive teams.

Change management processes should address organizational readiness and potential resistance to new requirements or practices. Training and support resources help ensure successful adoption of required changes.

Iterating and improving

Continuous improvement processes should incorporate lessons learned and feedback from setup experiences. Regular reviews help identify improvement opportunities and ensure approaches remain aligned with evolving requirements.

Documentation of setup activities and outcomes provides evidence of due diligence and supports ongoing maintenance. Knowledge capture ensures institutional learning is preserved for future reference.

Related articles

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 93/100 · January 19, 2024

CISA Issues Emergency Directive 24-01 on Ivanti Exploitation — January 19, 2024

CISA issued Emergency Directive 24-01 for Ivanti Connect Secure and Policy Secure zero-days. Federal agencies had 48 hours to disconnect vulnerable devices. If you run Ivanti VPN, assume compromise.

Cybersecurity · Credibility 91/100 · December 13, 2023

CISA Finalizes SCuBA Cloud Security Reference Architecture — December 13, 2023

The Secure Cloud Business Applications project released finalized zero trust architecture guidance for Microsoft 365 tenants.

Cybersecurity · Credibility 92/100 · October 5, 2023

NSA and CISA List Top Ten Cybersecurity Misconfigurations — October 5, 2023

NSA and CISA’s joint AA23-278A advisory demands board-level oversight to remediate the ten systemic misconfigurations undermining identity, logging, segmentation, and DSAR-ready evidence collection across critical…

Cybersecurity · Credibility 90/100 · July 2, 2024

Cyber Threat — Volt Typhoon

CISA and partners released guidance on PRC state-sponsored actors using 'living off the land' techniques—meaning they are using your own tools against you. They are abusing legitimate admin tools like PowerShell, WMI…

Cybersecurity · Credibility 90/100 · July 9, 2024

Operational Technology — NIST SP 800-82 Rev. 3

NIST SP 800-82 Revision 3’s July 9, 2024 release expands OT security guidance for ICS, IIoT, and distributed energy resources, requiring asset owners to realign architectures, monitoring, and procurement with CSF 2.0 and…

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

January 22, 2024

Coverage pillar

Cybersecurity

Source credibility

90/100 — high confidence

Topics

Joint advisory · Ivanti vulnerabilities · Threat hunting · Zero trust

Sources cited

3 sources (cisa.gov, iso.org)

Reading time

7 min

References

1. CISA/FBI/NSA — AA24-022A Ivanti zero-day advisory — www.cisa.gov
2. CISA Emergency Directive 24-01 — www.cisa.gov
3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization