Reeling from a spate of zero-day attacks that threw its security response teams into disarray and forced the US government to issue disconnection instructions, Ivanti says it has found security enlightenment with a CEO-led media campaign vowing to fix the entire cybersecurity organization.
The Utah IT software firm released a carefully scripted YouTube video and an open letter from chief executive Jeff Abbott acknowledging the severity of its security problems and promising to revamp core engineering, security and vulnerability management practices.
“We will use this opportunity to begin a new era at Ivanti,” Abbott declared. “[It will be] a broad shift that fundamentally transforms the Ivanti security operating model.”
Abbott said Ivanti will make “significant financial investment” in pursuing secure-by-design principles for all Ivanti products and on a company-wide overhaul of its PSIRT and vulnerability management processes.
The CEO’s missive comes just 24 hours after Ivanti shipped patches for another batch of high-severity vulnerabilities that expose enterprise customers to malicious code execution attacks. It also follows new documentation from Mandiant describing nation-state APT activities on hacked Ivanti Connect Secure appliances.
The new Mandiant report provides case studies of post-exploitation activities on organizations compromised via CVE-2023-46805 and CVE-2024-21887, two vulnerabilities that were at the center of Ivanti’s patch release struggles.
After Volexity researchers caught Chinese hackers breaking into US companies via bugs in Internet-facing Ivanti Connect Secure VPN appliances (formerly known as Pulse Secure), the company scrambled out pre-patch mitigations but struggled to meet its own deadline for releasing comprehensive patches.
The delays and communications hiccups led to the US cybersecurity agency CISA issuing a 48-hour deadline for federal agencies disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure products. Later, according to published reports, CISA was among the organizations hit by exploits for the Ivanti vulnerabilities and were forced to pull two systems offline to contain the damage.
After scrambling to respond to three separate in-the-wild zero-day attacks over the last year, Ivanti’s CEO says things “have been humbling.”
“We have challenged ourselves to look critically at every phase of our processes, and every product, to ensure the highest level of protection for our customers,” Abbott said, outlining plans to rebuild its engineering, security and vulnerability management practices to “ensure all products that we create embrace secure by design methodology.”
Without providing details, Abbott said Ivanti plans to embed security into every stage of its software development lifecycle and build isolation and anti-exploit technologies to reduce the potential impact of future software defects. These are considered basic elements in a security program.
Abbott also acknowledged contractual, technical and financial friction that block customers from upgrading to newer versions of its products and said the company would be fixing these as a priority.
“When customers require a fully on-prem solution, we are committed to helping them operate within these limits without compromising system security,” Abbott said, citing “practical impediments” to security hygiene for on-prem devices.
Related: Governments Urge Organizations to Hunt for Ivanti VPN Attacks
Related: Chinese Cyberspies Use New Malware in Ivanti VPN Attacks
Related: CISA Sets 48-Hour Deadline for Removal of Insecure Ivanti Products
Related: After Delays, Ivanti Patches Zero-Days and Confirms New Exploit
Related: CISA Issues Emergency Directive on Ivanti Zero-Days