The latest cybersecurity advisory on Ivanti VPN vulnerabilities by CISA, FBI, and the Five Eyes cybersecurity agencies confirms what has long been feared – VPNs are insecure solutions, and using one puts your organization at risk.
VPNs Pose Risks to Enterprises and Critical Infrastructure
VPNs are a significant risk vector to critical infrastructures and enterprises on a global scale. The advisory released on February 29 was an international effort with input from CISA and the FBI, as well as from cybersecurity agencies from Canada, United Kingdom, Australia, and New Zealand.
This should be the wakeup call to organizations still relying on VPNs to seek more modern solutions with secure by design engineering and resilient architecture at their core.
Latest CISA Advisory Issues Global VPN Usage Warning
It’s not the first report of its kind. CISA already provided guidance to federal agencies to remove Ivanti from their environments by February 2. The subsequent Feb. 29 advisory is for a broader, international audience of non-government entities.
While CISA has no authority to force private enterprises to remove Ivanti from their environments, this new advisory makes their guidance crystal clear – remove Ivanti or risk with near certainty of a breach. The advisory notes, "the authoring organizations strongly urge all organizations to consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment."
China and Nation State-sponsored Attacks Exacerbate the Issue
VPNs have never been a great security solution because they allow an attacker with easily obtained stolen credentials to access the entire network. But now they’ve become staging points for attacks. This situation has gotten much worse recently, as nation states such as China and for-profit entities are compromising VPN appliances themselves to run malware and launch attacks – and users cannot definitively detect them.
Let’s double click on this point for a minute. There is no way for an organization to ensure that they have removed an attacker – even after a factory reset of the device. It’s the most damning takeaway from the advisory. Even if the device is reset, nation state actors–particularly those from China–can maintain persistence.
Just a couple of weeks ago, the FBI shared forensic evidence of persistence lasting five years, noting that the “use of living off the land (LOTL) techniques is a hallmark of Volt Typhoon actors’ malicious cyber activity when targeting critical infrastructure” (CISA). Using an Ivanti VPN is tantamount to opening up an attack staging ground and inviting China-sponsored and other hackers into your enterprise.
This advisory stresses not to be lured into a false sense of security, especially by Ivanti, who is underplaying the gravity of the situation in their latest blog post.
Modernize Your Secure Remote Access Strategy Stat
It should come as no surprise that this situation poses a significant threat to our critical infrastructure. Organizations should shift away from insecure VPN and find a better solution.
Not just that, but the Ivanti zero-days are equally damaging for private enterprise. Ivanti is one of the most popular VPN products used by Fortune 500 companies. An exposure of this magnitude across this group of organizations risks a significant impact to the economy should their IP be stolen or their services disrupted in a coordinated effort.
We’ve been waiting for the other shoe to drop, and with the discovery of the Ivanti zero-days, now it has. Unfortunately, we don’t see the saga with VPNs ending here. Ivanti is only one of dozens of legacy VPN providers with prolific deployments, including across critical infrastructure.
This is a wakeup call to all organizations around the world to reevaluate their secure remote access strategies, eliminate the use of VPNs, and move to zero trust-based solutions available today in the market. Organizations are better off shifting to technology that is built on secure-by-design and resilience principles from the ground-up.
Geoffrey Mattson is an entrepreneur and cybersecurity executive with decades of experience as a leader in R&D, product development, and Go-To-Market (GTM).
Prior to Xage, Geoff was a co-founder and CEO of MistNet.ai, an AI-driven Cybersecurity platform that was acquired by Thoma Bravo and LogRhythm. Previously, he led R&D and Product organizations in network and security startups focused on cloud-based security services, including Corona and Caspian.
In addition, Geoff has worked for established companies like Juniper Networks in both general management and functional leadership roles, accelerating innovation and growth. Earlier in his career, Geoff spearheaded networking and telecommunication product initiatives at Bay Networks, where he led architecture, industry standards, and global GTM efforts.
Geoff holds a Master's degree in Computer Science from Boston University and currently serves as a speaker and mentor at the Stanford Business Graduate School of Business (Stanford Ignite program). He holds 13 U.S. and international patents.
