CISA Confirms Data Breach in Chemical Security Assessment Tool: Potential Exposure of Sensitive Information

June 24, 2024

CISA has issued a warning about a breach in its Chemical Security Assessment Tool (CSAT) environment, which occurred in January. The breach was facilitated by hackers who deployed a webshell on the agency's Ivanti device. CSAT is an online portal used by facilities to report their possession of potentially harmful chemicals. High-risk facilities are prompted to upload a security vulnerability assessment (SVA) and site security plan (SSP) survey, containing sensitive information about the facility.

The breach was initially reported by The Record in March, stating that CISA's Ivanti device was exploited, leading to the agency taking two systems offline for investigation. The Record's sources identified the affected systems as the Infrastructure Protection (IP) Gateway and Chemical Security Assessment Tool (CSAT). CISA has now confirmed the breach, revealing that the CSAT Ivanti Connect Secure appliance was compromised on January 23, 2024. This allowed a threat actor to upload a web shell to the device, which was accessed several times over two days.

After discovering the breach, CISA took the device offline to investigate the threat actor's actions and the potential data exposure. CISA has not disclosed the specific vulnerabilities that were exploited, instead referring to a document on threat actors exploiting multiple vulnerabilities on Ivanti Connect Secure and Policy Secure Gateway devices. This document mentions three vulnerabilities tracked as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, all disclosed before the CISA breach. Another vulnerability, CVE-2024-21888, was disclosed a day before the breach.

Despite all data in the CSAT application being encrypted with AES 256 encryption, CISA has decided to notify companies and individuals as a precautionary measure. In their data breach notification, CISA states, 'CISA is notifying all impacted participants in the CFATS program out of an abundance of caution that this information could have been inappropriately accessed.' The potential data exposure includes Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program submissions, and CSAT user accounts. These contain sensitive information about the security and chemical inventory of facilities using the CSAT tool.

While there is no evidence of stolen credentials, CISA recommends that all CSAT account holders reset their passwords if they used the same password for other accounts. CISA is sending out different notification letters depending on whether the recipient is an individual or an organization.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.