In notification letters dated June 20, 2024, CISA warned participants in the Chemical Facility Anti-Terrorism Standards (CFATS) program that sensitive data may have been exfiltrated after its Chemical Security Assessment Tool (CSAT) was breached by a malicious actor.
CFATS is a program that regulates high-risk chemical facilities to ensure security measures are in place to reduce the risk of certain hazardous chemicals being weaponized. Any facility that manufactures, uses, stores, or distributes certain levels of chemicals of interest is required to report to CISA via the CSAT.
CISA said on January 26th it identified potentially malicious activity within the CSAT Ivanti Connect Secure appliance and immediately took the system offline. The investigation revealed that a bad actor installed an advanced webshell on the Ivanti device capable of executing malicious commands or writing files to the underlying system.
Information accessed includes:
- Top-Screen Surveys: facility topography, types of chemicals of interest at the facility, and characteristics of chemicals and storage
- Security Vulnerability Assessments: the facility’s use of chemicals of interest and measures related to the facility’s policies, procedures, and resources
- Site Security Plans and Alternative Security Programs
- Personnel Surety Program: Name/aliases, place of birth, citizenship, redress and Global Entry number
- CSAT User Accounts: name, title, business address, and business phone number
No exfiltration of data from CSAT beyond the Ivanti device was identified. CISA added that all data held in CSAT was encrypted and information from each application had additional security controls limiting the likelihood of lateral access.
Evan Dornbush, former NSA cybersecurity expert, said:
“Intrusions like these remind us that turning on logging is often not enough, that robust measures including analysis of network traffic and other forms of defense in depth continue to be the best practices for a strong defensive posture against the adversary”
While the CISA’s investigation did not result in any evidence of exfiltration of data or
lateral movement, this is still bad. Hopefully the CISA gets an handle on this as this isn’t a good look.
Like this:
Like Loading...
Related
This entry was posted on June 25, 2024 at 8:20 am and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
CISA warns chemical facilities of data exfiltration after CISA tool breach
In notification letters dated June 20, 2024, CISA warned participants in the Chemical Facility Anti-Terrorism Standards (CFATS) program that sensitive data may have been exfiltrated after its Chemical Security Assessment Tool (CSAT) was breached by a malicious actor.
CFATS is a program that regulates high-risk chemical facilities to ensure security measures are in place to reduce the risk of certain hazardous chemicals being weaponized. Any facility that manufactures, uses, stores, or distributes certain levels of chemicals of interest is required to report to CISA via the CSAT.
CISA said on January 26th it identified potentially malicious activity within the CSAT Ivanti Connect Secure appliance and immediately took the system offline. The investigation revealed that a bad actor installed an advanced webshell on the Ivanti device capable of executing malicious commands or writing files to the underlying system.
Information accessed includes:
No exfiltration of data from CSAT beyond the Ivanti device was identified. CISA added that all data held in CSAT was encrypted and information from each application had additional security controls limiting the likelihood of lateral access.
Evan Dornbush, former NSA cybersecurity expert, said:
“Intrusions like these remind us that turning on logging is often not enough, that robust measures including analysis of network traffic and other forms of defense in depth continue to be the best practices for a strong defensive posture against the adversary”
While the CISA’s investigation did not result in any evidence of exfiltration of data or
lateral movement, this is still bad. Hopefully the CISA gets an handle on this as this isn’t a good look.
Share this:
Like this:
Related
This entry was posted on June 25, 2024 at 8:20 am and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.