The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to participants in the Chemical Facility Anti-Terrorism Standards (CFATS) program regarding a breach of the Chemical Security Assessment Tool (CSAT).
Description
The breach, which occurred from January 23 to 26, 2024 [4], involved the exploitation of a zero-day vulnerability in an Ivanti Connect Secure Appliance [1] [2] [4]. CISA discovered the deployment of a webshell on the Ivanti device [1], but there is no evidence of data misuse or sale. While there is no evidence of data exfiltration [4], CISA recommended resetting passwords for CSAT accounts as a precautionary measure to protect personally identifiable information (PII) of facility personnel and visitors. The compromise was identified through the detection of potentially malicious activity affecting the Ivanti device [3], with a malicious actor installing an advanced webshell for executing commands or writing files [3]. CISA notified participants in the CFATS program about the breach as required by FISMA [3]. The investigation did not find any adversarial access beyond the Ivanti device or data exfiltration from the CSAT environment [3]. CISA has warned chemical facilities that sensitive data [2], including personally identifiable information (PII) of facility personnel and visitors [2] [4], may have been exfiltrated [2].
Conclusion
The breach highlights the importance of cybersecurity measures in protecting sensitive information. Mitigations such as resetting passwords and monitoring for malicious activity are crucial in preventing future breaches. Chemical facilities should remain vigilant and implement robust security protocols to safeguard against potential threats in the future.
References
[1] https://sigmacybersecurity.com/cisa-alerts-us-chemical-facilities-of-potential-data-breach-risk/
[2] https://bragg.substack.com/p/daily-drop-797
[3] https://www.waterisac.org/portal/cisa-issues-notification-chemical-security-assessment-tool-csat-cybersecurity-intrusion
[4] https://www.infosecurity-magazine.com/news/chemical-exfiltration-cisa-breach/