CISA Confirms Data Breach in Chemical Security Assessment Tool: Potential Exposure of Sensitive Information

June 24, 2024

CISA has issued a warning about a breach in its Chemical Security Assessment Tool (CSAT) environment, which occurred in January. The breach was facilitated by hackers who deployed a webshell on the agency's Ivanti device. CSAT is an online portal used by facilities to report their possession of potentially harmful chemicals. High-risk facilities are prompted to upload a security vulnerability assessment (SVA) and site security plan (SSP) survey, containing sensitive information about the facility.

The breach was initially reported by The Record in March, stating that CISA's Ivanti device was exploited, leading to the agency taking two systems offline for investigation. The Record's sources identified the affected systems as the Infrastructure Protection (IP) Gateway and Chemical Security Assessment Tool (CSAT). CISA has now confirmed the breach, revealing that the CSAT Ivanti Connect Secure appliance was compromised on January 23, 2024. This allowed a threat actor to upload a web shell to the device, which was accessed several times over two days.

After discovering the breach, CISA took the device offline to investigate the threat actor's actions and the potential data exposure. CISA has not disclosed the specific vulnerabilities that were exploited, instead referring to a document on threat actors exploiting multiple vulnerabilities on Ivanti Connect Secure and Policy Secure Gateway devices. This document mentions three vulnerabilities tracked as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, all disclosed before the CISA breach. Another vulnerability, CVE-2024-21888, was disclosed a day before the breach.

Despite all data in the CSAT application being encrypted with AES 256 encryption, CISA has decided to notify companies and individuals as a precautionary measure. In their data breach notification, CISA states, 'CISA is notifying all impacted participants in the CFATS program out of an abundance of caution that this information could have been inappropriately accessed.' The potential data exposure includes Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program submissions, and CSAT user accounts. These contain sensitive information about the security and chemical inventory of facilities using the CSAT tool.

While there is no evidence of stolen credentials, CISA recommends that all CSAT account holders reset their passwords if they used the same password for other accounts. CISA is sending out different notification letters depending on whether the recipient is an individual or an organization.

Related News

• MITRE Corporation Cyber Attack: Hackers Utilize Rogue VMs to Evade Detection
• Mirai Botnet Exploits Ivanti Connect Secure Vulnerabilities
• China-Linked Cyber Espionage Targets MITRE Network: ROOTROT Webshell Exploited
• MITRE Corporation's Network Breached by State-Backed Hackers Using Ivanti Zero-Days
• Ivanti Patches High-Risk Vulnerabilities in VPN Gateways

Latest News

• Critical Remote Code Execution Vulnerability Found in Ollama AI Infrastructure Tool
• Cyber Espionage Campaign RedJuliett Targets 75 Taiwanese Entities
• ExCobalt Cybercrime Group Launches Advanced Attacks on Russian Entities
• Credit Card Data Theft via Exploitation of PrestaShop's Facebook Module
• CosmicSting Vulnerability Threatens Majority of Adobe Commerce and Magento Websites