2024-09-13
CISA Directs Agencies to Update or Remove Ivanti Cloud Service Appliance
On Friday, September 13, Ivanti updated an advisory for a vulnerability in their Cloud Service Appliance (CSA) that was originally released on September 10. The high-severity OS command injection vulnerability (CVE-2024-8190) affects CSA version 4.6, which Òis End-of-Life, and no longer receives patches for OS or third-party libraries.Ó While Ivanti has released a fix for CSA 4.6, it is the final patch that will be backported for this version; users are urged to upgrade to CSA 5.0. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-8190 to their Known Exploited Vulnerabilities Catalog; federal civilian executive branch agencies have until October 4 to remove CSA 4.6 and/or upgrade to CSA 5.0.
Editor's Note
Two points: (1) This is a decision that needs to be made in advance of any incident; and (2) It is a decision that is above the grade of the CISO. When decisions are made to take a risk (like not patching critical vulnerabilities or not moving to phishing resistant authentication), it is time to reach agreement on what will be done if the risk is realized As a minimum, a table-top exercise each year to walk through reaction/communication/restoration plans and costs should be done.
John Pescatore
The Port of Seattle has brought many systems back online, but some remain offline, such as their website, SEA Visitor Pass, TSA wait times, and the flySEA app. The port is keeping their site updated with status and FAQs, as well as contact guidance to help those impacted by the offline services.
Lee Neely
Not surprising that a state government agency chose not to pay the ransom demand. That'd just be a bad, bad look if they had. It would be helpful in any after-action report to know what led to the compromise so others can learn from this event. Said another way, what defenses were in place and what did the ransomware gang exploit to gain access?
Curtis Dukes
Without suggesting that mitigation after a ransomware attack is more efficient than prevention, continued success of ransomware attacks suggests a mitigation strategy that provides for the backup and recovery of mission critical applications in hours to days. The traditional 3-2-1 copy strategy does not facilitate this. Think hot backups.
William Hugh Murray
Read more in
Washington Ports: Port of Seattle Updates
The Record: Port of Seattle refuses to pay Rhysida ransom, warns of data leak
Bleeping Computer: Port of Seattle hit by Rhysida ransomware in August attack
Security Week: Data Stolen in Ransomware Attack That Hit Seattle Airport