Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Government

Ivanti CEO Vows Cybersecurity Makeover After Zero-Day Blitz

Ivanti releases a carefully scripted YouTube video and an open letter from chief executive Jeff Abbott vowing to fix the entire security organization.

Ivanti vulnerability

Reeling from a spate of zero-day attacks that threw its security response teams into disarray and forced the US government to issue disconnection instructions, Ivanti says it has found security enlightenment with a CEO-led media campaign vowing to fix the entire cybersecurity organization.

The Utah IT software firm released a carefully scripted YouTube video and an open letter from chief executive Jeff Abbott acknowledging the severity of its security problems and promising to revamp core engineering, security and vulnerability management practices.

“We will use this opportunity to begin a new era at Ivanti,” Abbott declared. “[It will be] a broad shift that fundamentally transforms the Ivanti security operating model.”

Abbott said Ivanti will make “significant financial investment” in pursuing secure-by-design principles for all Ivanti products and on a company-wide overhaul of its PSIRT and vulnerability management processes.

The CEO’s missive comes just 24 hours after Ivanti shipped patches for another batch of high-severity vulnerabilities that expose enterprise customers to malicious code execution attacks. It also follows new documentation from Mandiant describing nation-state APT activities on hacked Ivanti Connect Secure appliances.

The new Mandiant report provides case studies of post-exploitation activities on organizations compromised via CVE-2023-46805 and CVE-2024-21887, two vulnerabilities that were at the center of Ivanti’s patch release struggles.

After Volexity researchers caught Chinese hackers breaking into US companies via bugs in Internet-facing Ivanti Connect Secure VPN appliances (formerly known as Pulse Secure), the company scrambled out pre-patch mitigations but struggled to meet its own deadline for releasing comprehensive patches.

The delays and communications hiccups led to the US cybersecurity agency CISA issuing a 48-hour deadline for federal agencies disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure products. Later, according to published reports, CISA was among the organizations hit by exploits for the Ivanti vulnerabilities and were forced to pull two systems offline to contain the damage.

Advertisement. Scroll to continue reading.

After scrambling to respond to three separate in-the-wild zero-day attacks over the last year, Ivanti’s CEO says things “have been humbling.”

“We have challenged ourselves to look critically at every phase of our processes, and every product, to ensure the highest level of protection for our customers,” Abbott said, outlining plans to rebuild its engineering, security and vulnerability management practices to “ensure all products that we create embrace secure by design methodology.”

Without providing details, Abbott said Ivanti plans to embed security into every stage of its software development lifecycle and build isolation and anti-exploit technologies to reduce the potential impact of future software defects. These are considered basic elements in a security program.

Abbott also acknowledged contractual, technical and financial friction that block customers from upgrading to newer versions of its products and said the company would be fixing these as a priority.

“When customers require a fully on-prem solution, we are committed to helping them operate within these limits without compromising system security,” Abbott said, citing “practical impediments” to security hygiene for on-prem devices.

Related: Governments Urge Organizations to Hunt for Ivanti VPN Attacks

Related: Chinese Cyberspies Use New Malware in Ivanti VPN Attacks

Related: CISA Sets 48-Hour Deadline for Removal of Insecure Ivanti Products

Related: After Delays, Ivanti Patches Zero-Days and Confirms New Exploit

Related: CISA Issues Emergency Directive on Ivanti Zero-Days 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights