Cybersecurity

Ivanti Disputes CISA Findings of Post-Factory Reset Hacking

Endpoint Security , Governance & Risk Management , Patch Management

Gateway Maker Says Technique Won’t Succeed in Live Customer Environment

Ivanti Disputes CISA Findings of Post-Factory Reset Hacking
Ivanti disputes that hackers in a production environment can establish persistence after a factory reset. (Image: Shutterstock)

Corporate VPN maker Ivanti disputed findings by the U.S. cybersecurity agency that said hackers can establish persistence on rooted appliances through a factory reset but nonetheless released an updated integrity checking tool Tuesday.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

The Cybersecurity and Infrastructure Security Agency said testing on a virtual Ivanti Connect Secure appliance show it’s possible to preserve access to a compromised device even after the factory reset Ivanti says customers should perform to protect against a rash of recently revealed vulnerabilities. CISA also said the Ivanti integrity check function in place until Tuesday made it difficult, if not impossible, to detect the persistence mechanism, “creating the illusion of a clean installation.”

An Ivanti spokesperson the company does not believe CISA’s method would work in production. “CISA’s lab-based persistence technique has not been observed in the wild to date, and Ivanti does not believe it will succeed in a live customer environment,” a company spokesperson said in an email. “Outside of a lab environment, this action would break the connection with the box, and thus would not gain persistence.”

In a blog post, the Utah company pointed to Tuesday analysis from cyberthreat intelligence firm Mandiant, which said it spotted only failed attempts by suspected Chinese hackers to maintain persistence through a factory reset.

Likely Chinese nation-state hackers in early December started using a pair of zero-days to penetrate Ivanti gateways. As the vulnerabilities became public knowledge in early January – and as researchers found additional flaws to exploit – other hackers, including illicit crypto miners, jumped into the fray to exploit exposed Ivanti gateways. The company began rolling out patches in January and discovered additional vulnerabilities. It disclosed the most recent one Feb. 8.

Cyber defenders have spotted a rash of nation-state campaigns targeting edge devices, which face mounting criticism for security by obscurity.

Dutch intelligence agencies in February warned that “Chinese threat actors are known to perform wide and opportunistic scanning campaigns on internet-facing edge devices,” often exploiting vulnerabilities on the same day of their public disclosure (see: Chinese Hackers Penetrated Unclassified Dutch Network).

CISA in its Thursday advisory said forensic analysis has shown that Ivanti gateway hackers are able to clean up evidence of intrusions by overwriting and timestomping files and re-mounting the runtime partition to return the appliance to a “clean state.” This reinforces that scans by the Ivanti integrity checker tool “can result in a false sense of security that the device is free of compromise,” CISA said.

The agency’s main criticism against the previous version of the checker is that hackers could hide a persistence mechanism in the encryption partition of the Ivanti appliance. “It is untenable for network administrators to validate their application has not been compromised without also decrypting the partition and validating against a clean installation of the appliance, which are actions not easily accomplished at present,” CISA wrote.

Ivanti on Thursday said it had updated the tool and that it “will no longer require support to decrypt a customer’s snapshots.” The tool will “now provide customers with an unencrypted snapshot for their own review,” the company said.