The CISA released a statement cautioning against the use of VPNs. The announcement reveals that malicious actors are capable of evading certain VPN security measures without detection, specifically with Ivanti VPN appliances. Network defenders are advised to presume that credentials stored within an affected Ivanti VPN appliance are compromised. Furthermore, network defenders are encouraged to hunt for signs of malicious activity, run Ivanti's updated external ICT and utilize patching guidance as updated by Ivanti. 

Security leaders weigh in

Geoffrey Mattson, CEO at Xage Security:

“The cybersecurity advisory confirms what has long been feared – VPNs are insecure solutions, and using one puts your organization at risk. VPNs have never been a great security solution because they allow an attacker with easily obtained stolen credentials to access the entire network. But this situation has gotten much worse recently as nation states such as China and for-profit entities are compromising VPN appliances themselves to run malware and launch attacks.

“The most damning takeaway from the advisory is the revelation that even if the device is reset, nation state actors–particularly those from China–can maintain persistence. Just a couple of weeks ago, the FBI shared forensic evidence of persistence lasting five years, noting that the “use of living off the land (LOTL) techniques is a hallmark of Volt Typhoon actors’ malicious cyber activity when targeting critical infrastructure” (CISA). Using an Ivanti VPN is tantamount to opening up an attack staging ground and inviting China-sponsored and other hackers into your enterprise. This poses a significant threat to our critical infrastructure. Organizations should shift away from insecure VPN and find a better solution.

“The Ivanti zero-days are equally damaging for private enterprise. Ivanti is one of the most popular VPN products used by Fortune 500 companies. An exposure of this magnitude across this group of organizations risks a significant impact to the economy, should their IP be stolen, or their services disrupted in a coordinated effort.

“We’ve been waiting for the other shoe to drop, and with the discovery of the Ivanti zero-days, now it has. Unfortunately, we don’t see the saga with VPNs ending here. Ivanti is only one of dozens of legacy VPN providers with prolific deployments, including across critical infrastructure.

“VPNs are a significant risk vector to critical infrastructures and enterprises on a global scale. The advisory released today was an international effort with input from CISA and the FBI, as well as from cybersecurity agencies from Canada, United Kingdom, Australia, and New Zealand. This should be the wakeup call to organizations still relying on VPNs to seek more modern solutions with secure by design engineering and resilient architecture at their core.”

John Blackmon, Chief Technology Officer at ELB Learning:

“One of the best ways organizations can protect their data against bad actors is by having a relevant and continuous cybersecurity training program in place. Teaching them about the potential threats in a way that allows them to see them from a hacker’s point of view enables employees to recognize and mitigate these red flags when they come up on the job.