CISA

US cyber defense chief accidentally uploaded secret government info to ChatGPT

AI, chatgpt, CISA, cybersecurity and infrastructure security agency, Department of Homeland Security, DHS, ice, openai, Policy / DJ Henderson / January 28, 2026

Cybersecurity “nightmare”

Congress recently grilled the acting chief on mass layoffs and a failed polygraph.

Alarming critics, the acting director of the Cybersecurity and Infrastructure Security Agency (CISA), Madhu Gottumukkala, accidentally uploaded sensitive information to a public version of ChatGPT last summer, Politico reported.

According to “four Department of Homeland Security officials with knowledge of the incident,” Gottumukkala’s uploads of sensitive CISA contracting documents triggered multiple internal cybersecurity warnings designed to “stop the theft or unintentional disclosure of government material from federal networks.”

Gottumukkala’s uploads happened soon after he joined the agency and sought special permission to use OpenAI’s popular chatbot, which most DHS staffers are blocked from accessing, DHS confirmed to Ars. Instead, DHS staffers use approved AI-powered tools, like the agency’s DHSChat, which “are configured to prevent queries or documents input into them from leaving federal networks,” Politico reported.

It remains unclear why Gottumukkala needed to use ChatGPT. One official told Politico that, to staffers, it seemed like Gottumukkala “forced CISA’s hand into making them give him ChatGPT, and then he abused it.”

The information Gottumukkala reportedly leaked was not confidential but marked “for official use only.” That designation, a DHS document explained, is “used within DHS to identify unclassified information of a sensitive nature” that, if shared without authorization, “could adversely impact a person’s privacy or welfare” or impede how federal and other programs “essential to the national interest” operate.

There’s now a concern that the sensitive information could be used to answer prompts from any of ChatGPT’s 700 million active users.

OpenAI did not respond to Ars’ request to comment, but Cyber News reported that experts have warned “that using public AI tools poses real risks because uploaded data can be retained, breached, or used to inform responses to other users.”

Sources told Politico that DHS investigated the incident for potentially harming government security—which could result in administrative or disciplinary actions, DHS officials told Politico. Possible consequences could range from a formal warning or mandatory retraining to “suspension or revocation of a security clearance,” officials said.

However, CISA’s director of public affairs, Marci McCarthy, declined Ars’ request to confirm if that probe, launched in August, has concluded or remains ongoing. Instead, she seemed to emphasize that Gottumukkala’s access to ChatGPT was only temporary, while suggesting that the ChatGPT use aligned with Donald Trump’s order to deploy AI across government.

“Acting Director Dr. Madhu Gottumukkala was granted permission to use ChatGPT with DHS controls in place,” McCarthy said. “This use was short-term and limited. CISA is unwavering in its commitment to harnessing AI and other cutting-edge technologies to drive government modernization and deliver” on Trump’s order.

Scrutiny of cyber defense chief remains

Gottumukkala has not had a smooth run as acting director of the top US cyber defense agency after Trump’s pick to helm the agency, Sean Plankey, was blocked by Sen. Rick Scott (R-Fla.) “over a Coast Guard shipbuilding contract,” Politico noted.

DHS Secretary Kristi Noem chose Gottumukkala to fill in after he previously served as her chief information officer, overseeing statewide cybersecurity initiatives in South Dakota. CISA celebrated his appointment with a press release boasting that he had more than 24 years of experience in information technology and a “deep understanding of both the complexities and practical realities of infrastructure security.”

However, critics “on both sides of the aisle” have questioned whether Gottumukkala knows what he’s doing at CISA, Cyberscoop reported. That includes staffers who stayed on and staffers who prematurely left the agency due to uncertainty over its future, Politico reported.

At least 65 staffers have been curiously reassigned to other parts of DHS, Cyberscoop reported, inciting Democrats’ fears that CISA staffers are possibly being pushed over to Immigration and Customs Enforcement (ICE).

The same fate almost befell Robert Costello, CISA’s chief information officer, who was reportedly involved with meetings last August probing Gottumukkala’s improper ChatGPT use and “the proper handling of for official use only material,” Politico reported.

Earlier this month, staffers alleged that Gottumukkala took steps to remove Costello from his CIO position, which he has held for the past four years. But that plan was blocked after “other political appointees at the department objected,” Politico reported. Until others intervened to permanently thwart the reassignment, Costello was supposedly given “roughly one week” to decide if he would take another position within DHS or resign, sources told Politico.

Gottumukkala has denied that he sought to reassign Costello over a personal spat that Politico’s sources said sprang from “friction because Costello frequently pushed back against Gottumukkala on policy matters.” He insisted that “senior personnel decisions are made at the highest levels at the Department of Homeland Security’s Headquarters and are not made in a vacuum, independently by one individual, or on a whim.”

The reported move looked particularly shady, though, because Costello “is seen as one of the agency’s top remaining technical talents,” Politico reported.

Congress questioned ongoing cybersecurity threats

This month, Congress grilled Gottumukkala about mass layoffs last year that shrank CISA from about 3,400 staffers to 2,400. The steep cuts seemed to threaten national security and election integrity, lawmakers warned, and potentially have left the agency unprepared for any potential conflicts with China.

At a hearing held by the House Homeland Security Committee, Gottumukkala said that CISA was “getting back on mission” and plans to reverse much of the damage done last year to the agency.

However, some of his responses did not inspire confidence, including a failure to forecast “how many cyber intrusions CISA expects from foreign adversaries as part of the 2026 midterm elections,” the Federal News Network reported. In particular, Rep. Tony Gonzales (R-Texas) criticized Gottumukkala for not having “a specific number in mind.”

“Well, we should have that number,” Gonzales said. “It should first start by how many intrusions that we had last midterm and the midterm before that. I don’t want to wait. I don’t want us waiting until after the fact to be able to go, ‘Yeah, we got it wrong, and it turns out our adversaries influenced our election to that point.’”

Perhaps notably, Gottumukkala also dodged questions about reports that he failed a polygraph when attempting to seek access to other “highly sensitive cyber intelligence,” Politico reported.

The acting director apparently blamed six career CISA staffers for requesting that he agree to the polygraph test, which the staffers said was typical protocol but Gottumukkala later claimed was misleading.

Failing the test isn’t necessarily damning, since anxiety or technical errors could trigger a negative result. However, Gottumukkala appears touchy about the test that he now regrets sitting for, calling the test “unsanctioned” and refusing to discuss the results.

It seems that Gottumukkala felt misled after learning that he could have requested a waiver to skip the polygraph. In a letter suspending those staffers’ security clearances, CISA accused staff of showing “deliberate or negligent failure to follow policies that protect government information.” However, staffers may not have known that he had that option, which is considered a “highly unusual loophole that may not have been readily apparent to career staff,” Politico noted.

Staffers told Politico that Gottumukkala’s tenure has been a “nightmare”—potentially ruining the careers of longtime CISA staffers. It troubles some that it seems that Gottumukkala will remain in his post “for the foreseeable future,” while seeming to politicize the agency and bungle protocols for accessing sensitive information.

According to Nextgov, Gottumukkala plans to right the ship with “a hiring spree in 2026 because its recent reductions have hampered some of the Trump administration’s national security goals.”

In November, the trade publication Cybersecurity Dive reported that Gottumukkala sent a memo confirming the hiring spree was coming that month, while warning that CISA remains “hampered by an approximately 40 percent vacancy rate across key mission areas.” All those cuts were “spurred by the administration’s animus toward CISA over its election security work,” Cybersecurity Dive noted.

“CISA must immediately accelerate recruitment, workforce development, and retention initiatives to ensure mission readiness and operational continuity,” Gottumukkala told staffers at that time, then later went on to reassure Congress this month that the agency has “the required staff” to protect election integrity and national security, Cyberscoop reported.

Ashley is a senior policy reporter for Ars Technica, dedicated to tracking social impacts of emerging policies and new technologies. She is a Chicago-based journalist with 20 years of experience.

US cyber defense chief accidentally uploaded secret government info to ChatGPT Read More »

Authorities carry out global takedown of infostealer used by cybercriminals

Biz & IT, CISA, infostealer, infostealers, Security, syndication / 9u50fv / May 22, 2025

Authorities, along with tech companies including Microsoft and Cloudflare, say they’ve disrupted Lumma.

A consortium of global law enforcement agencies and tech companies announced on Wednesday that they have disrupted the infostealer malware known as Lumma. One of the most popular infostealers worldwide, Lumma has been used by hundreds of what Microsoft calls “cyber threat actors” to steal passwords, credit card and banking information, and cryptocurrency wallet details. The tool, which officials say is developed in Russia, has provided cybercriminals with the information and credentials they needed to drain bank accounts, disrupt services, and carry out data extortion attacks against schools, among other things.

Microsoft’s Digital Crimes Unit (DCU) obtained an order from a United States district court last week to seize and take down about 2,300 domains underpinning Lumma’s infrastructure. At the same time, the US Department of Justice seized Lumma’s command and control infrastructure and disrupted cybercriminal marketplaces that sold the Lumma malware. All of this was coordinated, too, with the disruption of regional Lumma infrastructure by Europol’s European Cybercrime Center and Japan’s Cybercrime Control Center.

Microsoft lawyers wrote on Wednesday that Lumma, which is also known as LummaC2, has spread so broadly because it is “easy to distribute, difficult to detect, and can be programmed to bypass certain security defenses.” Steven Masada, assistant general counsel at Microsoft’s DCU, says in a blog post that Lumma is a “go-to tool,” including for the notorious Scattered Spider cybercriminal gang. Attackers distribute the malware using targeted phishing attacks that typically impersonate established companies and services, like Microsoft itself, to trick victims.

“In 2025, probably following Redline’s disruption and Lumma’s own development, it has ranked as the most active module, indicating its growing popularity and widespread adoption among cybercriminals,” says Victoria Kivilevich, director of threat research at security firm Kela.

Microsoft says that more than 394,000 Windows computers were infected with the Lumma malware between March 16 and May 16 this year. And Lumma was mentioned in more than 21,000 listings on cybercrime forums in the spring of 2024, according to figures cited in a notice published today by the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA). The malware has been spotted bundled in fake AI video generators, fake “deepfake” generation websites, and distributed by fake CAPTCHA pages.

Law enforcement’s collaboration with Microsoft’s DCU and other tech companies like Cloudflare focused on disrupting Lumma’s infrastructure in multiple ways, so its developers could not simply hire new providers or create parallel systems to rebuild.

“Cloudflare’s role in the disruption included blocking the command and control server domains, Lumma’s Marketplace domains, and banning the accounts that were used to configure the domains,” the company wrote in a blog post on Wednesday. “Microsoft coordinated the takedown of Lumma’s domains with multiple relevant registries in order to ensure that the criminals could not simply change the name servers and recover their control.”

While infostealing malware has been around for years, its use by cybercriminals and nation-state hackers has surged since 2020. Typically, infostealers find their way onto people’s computers through downloads of pirated software or through targeted phishing attacks that impersonate established companies and services, like Microsoft itself, to trick victims. Once on a computer it is able to grab sensitive information—such as usernames and passwords, financial information, browser extensions, multifactor authentication details and more—and send it back to the malware’s operators.

Some infostealer operators bundle and sell this stolen data. But increasingly the compromised details have acted as a gateway for hackers to launch further attacks, providing them with the details needed to access online accounts and the networks of multi-billion dollar corporations.

“It’s clear that infostealers have become more than just grab-and-go malware,” says Patrick Wardle, CEO of the Apple device-focused security firm DoubleYou. “In many campaigns they really act as the first stage, collecting credentials, access tokens, and other foothold-enabling data, which is then used to launch more traditional, high-impact attacks such as lateral movement, espionage, or ransomware.”

The Lumma infostealer first emerged on Russian-language cybercrime forums in 2022, according to the FBI and CISA. Since then its developers have upgraded its capabilities and released multiple different versions of the software.

Since 2023, for example, they have been working to integrate AI into the malware platform, according to findings from the security firm Trellix. Attackers want to add these capabilities to automate some of the work involved in cleaning up the massive amounts of raw data collected by infostealers, including identifying and separating “bot” accounts that are less valuable for most attackers.

One administrator of Lumma told 404Media and WIRED last year that they encouraged both seasoned hackers and new cybercriminals to use their software. “This brings us good income,” the administrator said, referring to the resale of stolen login data.

Microsoft says that the main developer behind Lumma goes by the online handle “Shamel” and is based in Russia.

“Shamel markets different tiers of service for Lumma via Telegram and other Russian-language chat forums,” Microsoft’s Masada wrote on Wednesday. “Depending on what service a cybercriminal purchases, they can create their own versions of the malware, add tools to conceal and distribute it, and track stolen information through an online portal.”

Kela’s Kivilevich says that in the days leading up to the takedown, some cybercriminals started to complain on forums that there had been problems with Lumma. They even speculated that the malware platform had been targeted in a law enforcement operation.

“Based on what we see, there is a wide range of cybercriminals admitting they are using Lumma, such as actors involved in credit card fraud, initial access sales, cryptocurrency theft, and more,” Kivilevich says.

Among other tools, the Scattered Spider hacking group—which has attacked Caesars Entertainment, MGM Resorts International, and other victims—has been spotted using the Lumma stealer. Meanwhile, according to a report from TechCrunch, the Lumma malware was allegedly used in the build-up to the December 2024 hack of education tech firm PowerSchool, in which more than 70 million records were stolen.

“We’re now seeing infostealers not just evolve technically, but also play a more central role operationally,” says DoubleYou’s Wardle. “Even nation-state actors are developing and deploying them.”

Ian Gray, director of analysis and research at the security firm Flashpoint, says that while infostealers are only one tool that cybercriminals will use, their prevalence may make it easier for cybercriminals to hide their tracks. “Even advanced threat actor groups are leveraging infostealer logs, or they risk burning sophisticated tactics, techniques, and procedures (TTPs),” Gray says.

Lumma isn’t the first infostealer to be targeted by law enforcement. In October last year, the Dutch National Police, along with international partners, took down the infrastructure linked to the RedLine and MetaStealer malware, and the US Department of Justice unsealed charges against Maxim Rudometov, one of the alleged developers and administrators of the RedLine infostealer.

Despite the international crackdown, infostealers have proven too useful and effective for attackers to abandon. As Flashpoint’s Gray puts it, “Even if the landscape ultimately shifts due to the evolution of defenses, the growing prominence of infostealers over the past few years suggests they are likely here to stay for the foreseeable future. Usage of them has exploded.”

This story originally appeared at wired.com.

Wired.com is your essential daily guide to what’s next, delivering the most original and complete take you’ll find anywhere on innovation’s impact on technology, science, business and culture.

Authorities carry out global takedown of infostealer used by cybercriminals Read More »

DOGE software engineer’s computer infected by info-stealing malware

Biz & IT, CISA, credentials, cybersecurity and infrastructure security agency, department of government efficiency, kyle schutt, passwords, Policy, Security / DJ Henderson / May 10, 2025

Login credentials belonging to an employee at both the Cybersecurity and Infrastructure Security Agency and the Department of Government Efficiency have appeared in multiple public leaks from info-stealer malware, a strong indication that devices belonging to him have been hacked in recent years.

Kyle Schutt is a 30-something-year-old software engineer who, according to Dropsite News, gained access in February to a “core financial management system” belonging to the Federal Emergency Management Agency. As an employee of DOGE, Schutt accessed FEMA’s proprietary software for managing both disaster and non-disaster funding grants. Under his role at CISA, he likely is privy to sensitive information regarding the security of civilian federal government networks and critical infrastructure throughout the US.

A steady stream of published credentials

According to journalist Micah Lee, user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware. Stealer malware typically infects devices through trojanized apps, phishing, or software exploits. Besides pilfering login credentials, stealers can also log all keystrokes and capture or record screen output. The data is then sent to the attacker and, occasionally after that, can make its way into public credential dumps.

“I have no way of knowing exactly when Schutt’s computer was hacked, or how many times,” Lee wrote. “I don’t know nearly enough about the origins of these stealer log datasets. He might have gotten hacked years ago and the stealer log datasets were just published recently. But he also might have gotten hacked within the last few months.”

Lee went on to say that credentials belonging to a Gmail account known to belong to Schutt have appeared in 51 data breaches and five pastes tracked by breach notification service Have I Been Pwned. Among the breaches that supplied the credentials is one from 2013 that pilfered password data for 3 million Adobe account holders, one in a 2016 breach that stole credentials for 164 million LinkedIn users, a 2020 breach affecting 167 million users of Gravatar, and a breach last year of the conservative news site The Post Millennial.

DOGE software engineer’s computer infected by info-stealing malware Read More »

Siri “unintentionally” recorded private convos; Apple agrees to pay $95M

Apple, CISA, Policy, Siri, targeted ads, voice assistant, wiretap act / DJ Henderson / January 2, 2025

Apple has agreed to pay $95 million to settle a lawsuit alleging that its voice assistant Siri routinely recorded private conversations that were then shared with third parties and used for targeted ads.

In the proposed class-action settlement—which comes after five years of litigation—Apple admitted to no wrongdoing. Instead, the settlement refers to “unintentional” Siri activations that occurred after the “Hey, Siri” feature was introduced in 2014, where recordings were apparently prompted without users ever saying the trigger words, “Hey, Siri.”

Sometimes Siri would be inadvertently activated, a whistleblower told The Guardian, when an Apple Watch was raised and speech was detected. The only clue that users seemingly had of Siri’s alleged spying was eerily accurate targeted ads that appeared after they had just been talking about specific items like Air Jordans or brands like Olive Garden, Reuters noted (claims which remain disputed).

It’s currently unknown how many customers were affected, but if the settlement is approved, the tech giant has offered up to $20 per Siri-enabled device for any customers who made purchases between September 17, 2014, and December 31, 2024. That includes iPhones, iPads, Apple Watches, MacBooks, HomePods, iPod touches, and Apple TVs, the settlement agreement noted. Each customer can submit claims for up to five devices.

A hearing when the settlement could be approved is currently scheduled for February 14. If the settlement is certified, Apple will send notices to all affected customers. Through the settlement, customers can not only get monetary relief but also ensure that their private phone calls are permanently deleted.

While the settlement appears to be a victory for Apple users after months of mediation, it potentially lets Apple off the hook pretty cheaply. If the court had certified the class action and Apple users had won, Apple could’ve been fined more than $1.5 billion under the Wiretap Act alone, court filings showed.

But lawyers representing Apple users decided to settle, partly because data privacy law is still a “developing area of law imposing inherent risks that a new decision could shift the legal landscape as to the certifiability of a class, liability, and damages,” the motion to approve the settlement agreement said. It was also possible that the class size could be significantly narrowed through ongoing litigation, if the court determined that Apple users had to prove their calls had been recorded through an incidental Siri activation—potentially reducing recoverable damages for everyone.

Siri “unintentionally” recorded private convos; Apple agrees to pay $95M Read More »

Black Basta ransomware group is imperiling critical infrastructure, groups warn

Biz & IT, black basta, CISA, critical infrastructure, ransomware, Security / Mike M. / May 14, 2024

Federal agencies, health care associations, and security researchers are warning that a ransomware group tracked under the name Black Basta is ravaging critical infrastructure sectors in attacks that have targeted more than 500 organizations in the past two years.

One of the latest casualties of the native Russian-speaking group, according to CNN, is Ascension, a St. Louis-based health care system that includes 140 hospitals in 19 states. A network intrusion that struck the nonprofit last week took down many of its automated processes for handling patient care, including its systems for managing electronic health records and ordering tests, procedures, and medications. In the aftermath, Ascension has diverted ambulances from some of its hospitals and relied on manual processes.

“Severe operational disruptions”

In an Advisory published Friday, the FBI and the Cybersecurity and Infrastructure Security Agency said Black Basta has victimized 12 of the country’s 16 critical infrastructure sectors in attacks that it has mounted on 500 organizations spanning the globe. The nonprofit health care association Health-ISAC issued its own advisory on the same day that warned that organizations it represents are especially desirable targets of the group.

“The notorious ransomware group, Black Basta, has recently accelerated attacks against the healthcare sector,” the advisory stated. It went on to say: “In the past month, at least two healthcare organizations, in Europe and in the United States, have fallen victim to Black Basta ransomware and have suffered severe operational disruptions.”

Black Basta has been operating since 2022 under what is known as the ransomware-as-a-service model. Under this model, a core group creates the infrastructure and malware for infecting systems throughout a network once an initial intrusion is made and then simultaneously encrypting critical data and exfiltrating it. Affiliates do the actual hacking, which typically involves either phishing or other social engineering or exploiting security vulnerabilities in software used by the target. The core group and affiliates divide any revenue that results.

Recently, researchers from security firm Rapid7 observed Black Basta using a technique they had never seen before. The end goal was to trick employees from targeted organizations to install malicious software on their systems. On Monday, Rapid7 analysts Tyler McGraw, Thomas Elkins, and Evan McCann reported:

Since late April 2024, Rapid7 identified multiple cases of a novel social engineering campaign. The attacks begin with a group of users in the target environment receiving a large volume of spam emails. In all observed cases, the spam was significant enough to overwhelm the email protection solutions in place and arrived in the user’s inbox. Rapid7 determined many of the emails themselves were not malicious, but rather consisted of newsletter sign-up confirmation emails from numerous legitimate organizations across the world.

Enlarge / Example spam email

Rapid7

With the emails sent, and the impacted users struggling to handle the volume of the spam, the threat actor then began to cycle through calling impacted users posing as a member of their organization’s IT team reaching out to offer support for their email issues. For each user they called, the threat actor attempted to socially engineer the user into providing remote access to their computer through the use of legitimate remote monitoring and management solutions. In all observed cases, Rapid7 determined initial access was facilitated by either the download and execution of the commonly abused RMM solution AnyDesk, or the built-in Windows remote support utility Quick Assist.

In the event the threat actor’s social engineering attempts were unsuccessful in getting a user to provide remote access, Rapid7 observed they immediately moved on to another user who had been targeted with their mass spam emails.

Black Basta ransomware group is imperiling critical infrastructure, groups warn Read More »

Agencies using vulnerable Ivanti products have until Saturday to disconnect them

Biz & IT, CISA, connect secure, ivanti, Security, zerodays / Kelly Newman / February 1, 2024

TOUGH MEDICINE —

Things were already bad with two critical zero-days. Then Ivanti disclosed a new one.

Dan Goodin – Feb 1, 2024 11: 45 pm UTC

Photograph depicts a security scanner extracting virus from a string of binary code. Hand with the word — Getty Images

Federal civilian agencies have until midnight Saturday morning to sever all network connections to Ivanti VPN software, which is currently under mass exploitation by multiple threat groups. The US Cybersecurity and Infrastructure Security Agency mandated the move on Wednesday after disclosing three critical vulnerabilities in recent weeks.

Three weeks ago, Ivanti disclosed two critical vulnerabilities that it said threat actors were already actively exploiting. The attacks, the company said, targeted “a limited number of customers” using the company’s Connect Secure and Policy Secure VPN products. Security firm Volexity said on the same day that the vulnerabilities had been under exploitation since early December. Ivanti didn’t have a patch available and instead advised customers to follow several steps to protect themselves against attacks. Among the steps was running an integrity checker the company released to detect any compromises.

Almost two weeks later, researchers said the zero-days were under mass exploitation in attacks that were backdooring customer networks around the globe. A day later, Ivanti failed to make good on an earlier pledge to begin rolling out a proper patch by January 24. The company didn’t start the process until Wednesday, two weeks after the deadline it set for itself.

And then, there were three

Ivanti disclosed two new critical vulnerabilities in Connect Secure on Wednesday, tracked as CVE-2024-21888 and CVE-2024-21893. The company said that CVE-2024-21893—a class of vulnerability known as a server-side request forgery—“appears to be targeted,” bringing the number of actively exploited vulnerabilities to three. German government officials said they had already seen successful exploits of the newest one. The officials also warned that exploits of the new vulnerabilities neutralized the mitigations Ivanti advised customers to implement.

Hours later, the Cybersecurity and Infrastructure Security Agency—typically abbreviated as CISA—ordered all federal agencies under its authority to “disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks” no later than 11: 59 pm on Friday. Agency officials set the same deadline for the agencies to complete the Ivanti-recommended steps, which are designed to detect if their Ivanti VPNs have already been compromised in the ongoing attacks.

The steps include:

Identifying any additional systems connected or recently connected to the affected Ivanti device
Monitoring the authentication or identity management services that could be exposed
Isolating the systems from any enterprise resources to the greatest degree possible
Continuing to audit privilege-level access accounts.

The directive went on to say that before agencies can bring their Ivanti products back online, they must follow a long series of steps that include factory resetting their system, rebuilding them following Ivanti’s previously issued instructions, and installing the Ivanti patches.

“Agencies running the affected products must assume domain accounts associated with the affected products have been compromised,” Wednesday’s directive said. Officials went on to mandate that by March 1, agencies must have reset passwords “twice” for on-premise accounts, revoke Kerberos-enabled authentication tickets, and then revoke tokens for cloud accounts in hybrid deployments.

Steven Adair, the president of Volexity, the security firm that discovered the initial two vulnerabilities, said its most recent scans indicate that at least 2,200 customers of the affected products have been compromised to date. He applauded CISA’s Wednesday directive.

“This is effectively the best way to alleviate any concern that a device might still be compromised,” Adair said in an email. “We saw that attackers were actively looking for ways to circumvent detection from the integrity checker tools. With the previous and new vulnerabilities, this course of action around a completely fresh and patched system might be the best way to go for organizations to not have to wonder if their device is actively compromised.”

The directive is binding only on agencies under CISA’s authority. Any user of the vulnerable products, however, should follow the same steps immediately if they haven’t already.

Agencies using vulnerable Ivanti products have until Saturday to disconnect them Read More »