The US Cybersecurity and Infrastructure Security Agency (CISA) has revealed its Chemical Security Assessment Tool (CSAT) was breached by a malicious actor, and warned chemical facilities that sensitive data may have been exfiltrated.
The attackers exploited a zero-day vulnerability in an Ivanti Connect Secure appliance to infiltrate CSAT from January 23 to 26, 2024. The incident came shortly after Ivanti reported active exploitation of vulnerabilities in its Ivanti Connect Secure and Ivanti Policy Secure products, including by Chinese state actors.
In a notification letter dated June 20, 2024, CISA notified participants in the Chemical Facility Anti-Terrorism Standards (CFATS) program about the intrusion and the potentially impacted information.
CFATS is a program that identifies and regulates high-risk chemical facilities to ensure security measures are in place to reduce the risk of certain hazardous chemicals being weaponized. Any facility that manufactures, uses, stores, or distributes chemicals of interest (COI) at or above the screening threshold quantities (STQ) and/or concentrations is required to report those holdings to CISA via the CSAT.
While there is currently no evidence of exfiltration of this data, CISA has informed individuals who had their personally identifiable information (PII) submitted to the program for vetting or had a Chemical-terrorism Vulnerability Information (CVI) Authorized User account, that their information may have been inappropriately accessed.
This includes PII of facility personnel and unescorted visitors who had or were seeking access to restricted areas and critical assets at high-risk chemical facilities. These individuals PII is required to be submitted through CSAT for vetting purposes.
PII information potentially exfiltrated by the attackers include:
- Name/aliases
- Place of birth
- Citizenship
- Redress number
- Global Entry ID
Account information potentially exfiltrated by the attackers are businesses names, titles, addresses and phone numbers.
How the Attackers Infiltrated CSAT
CISA said it identified potentially malicious activity affecting the CSAT Ivanti Connect Secure appliance on January 26, immediately taking the system offline and isolating it. A forensic investigation was then launched involving technical experts from CISA’s Office of the Chief Information Officer, Cybersecurity Division’s Threat Hunting team and the Department of Homeland Security’s (DHS) Network Operations Center (NOC).
Read here: CISA Emergency Directive Demands Action on Ivanti Zero-Days
The investigation revealed that a malicious actor installed an advanced webshell on the Ivanti device. This webshell was capable of executing malicious commands or writing files to the underlying system.
The agency discovered that the threat actor accessed the webshell several times over a two-day period.
No exfiltration of data from CSAT or adversary access beyond the Ivanti device was identified. CISA added that all data held in CSAT was encrypted and information from each application had additional security controls limiting the likelihood of lateral access.
Additionally, encryption keys were hidden from the type of access the threat actor had to the system.
While no evidence has been found of credentials being stolen, CISA recommends that any individual who had CSAT accounts to reset their passwords to protect against brute force attacks.