CISA is warning that its Chemical Security Assessment Tool (CSAT) environment was breached in January after hackers deployed a webshell on its Ivanti device, potentially exposing sensitive security assessments and plans.
CSAT is an online portal that is used by facilities to report their possession of chemicals that could be used for terrorism to determine if they are considered a high-risk facility. If they are considered high-risk, the tool will prompt them to upload a security vulnerability assessment (SVA) and site security plan (SSP) survey that contains sensitive information about the facility.
In March, The Record first reported that CISA suffered a breach after the agency’s Ivanti device was exploited, causing it to take two systems offline while investigating the incident.
While CISA would not share details about the incident, The Record’s sources said it was the Infrastructure Protection (IP) Gateway and Chemical Security Assessment Tool (CSAT).
CISA confirms breach
CISA has now confirmed that the CSAT Ivanti Connect Secure appliance was breached on January 23, 2024, allowing a threat actor to upload a web shell to the device.
The threat actor then accessed this web shell several times over two days.
Once CISA discovered the breach, they took the device offline to investigate any actions taken by the threat actor and what data was potentially exposed.
CISA has not shared what vulnerabilities were exploited, instead referring to a CISA document on threat actors exploiting multiple vulnerabilities on Ivanti Connect Secure and Policy Secure Gateway devices.
This document references three vulnerabilities tracked as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, all disclosed prior to CISA’s breach on January 23, with threat actors quickly exploiting them. One vulnerability, CVE-2024-21888, was disclosed on January 22, one day before CISA’s Ivanti device was breached.
While CISA says all of the data in the CSAT application is encrypted with AES 256 encryption and there is no evidence that CSAT data was stolen, they decided to notify companies and individuals in an abundance of caution.
“CISA is notifying all impacted participants in the CFATS program out of an abundance of caution that this information could have been inappropriately accessed,” explains the CISA data breach notification.
“Even without evidence of data exfiltration, the number of potential individuals and organizations whose data was potentially at risk met the threshold of a major incident under the Federal Information Security Modernization Act (FISMA).”
The data that could potentially have been exposed includes Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program submissions, and CSAT user accounts.
These submissions contain highly sensitive information about the security posture and chemical inventory of facilities using the CSAT tool.
CISA says the CSAT user accounts contained the following information.
- Aliases
- Place of Birth
- Citizenship
- Passport Number
- Redress Number
- A Number
- Global Entry ID Number
- TWIC ID Number
While CISA says there is no evidence of credentials being stolen, it recommends that all CSAT account holders reset the passwords for any of their accounts that used the same password.
CISA is sending out different notification letters depending on whether you are an individual or organization.
