Getty Images
At least five U.S. federal agencies may have suffered cyberattacks targeting recently discovered security flaws that gave hackers free reign over vulnerable networks, the U.S. Cybersecurity and Infrastructure Security Agency said Friday.
The vulnerabilities in Pulse Connect Secure, a VPN employees use to remotely connect to large networks, include one that hackers were actively exploiting before it was known to Ivanti, the product’s maker. The vulnerability, which Ivanti disclosed last week, has a severity rating of 10 out of 10. The authentication bypass vulnerability allows untrusted users to remotely execute malicious code on Pulse Secure hardware and take control of other parts of the computer. network where it is installed.
Federal agencies, critical infrastructure and more
Security firm FireEye said in a report released the same day as the Ivanti disclosure that hackers associated with China have spent months exploiting the critical vulnerability to spy on U.S. defense contractors and financial institutions around the world. Ivanti confirmed in a separate post that the zero-day vulnerability, tracked as CVE-2021-22893, was being actively exploited.
In March, after revealing several other vulnerabilities that have now been patched, Ivanti released the Pulse Secure Connect Integrity Tool, which streamlines the process of checking whether vulnerable Pulse Secure devices have been compromised. Following last week’s revelation that CVE-2021-2021-22893 was being actively exploited, CISA mandated that all federal agencies use the tool.
“CISA is aware of at least five federal civilian agencies that have run the Pulse Connect Secure Integrity Tool and identified indications of possible unauthorized access,” Matt Hartman, deputy executive assistant director at CISA, wrote in an e-mailed statement. mail. “We are working with each agency to validate whether a break-in has occurred and will provide incident support accordingly.”
CISA said it is aware of compromises from federal agencies, critical infrastructure entities and private sector organizations dating back to June 2020.
They just keep coming
The target of the five agencies is the latest in a series of large-scale cyberattacks that have hit sensitive government and corporate organizations in recent months. In December, researchers discovered an operation that infected the software building and distribution system of network management tools maker SolarWinds. The hackers used their control to push backdoored updates to about 18,000 customers. Nine government agencies and fewer than 100 private organizations, including Microsoft, anti-virus maker Malwarebytes and Mimecast, suffered follow-up attacks. In March, hackers exploited a newly discovered vulnerability in Microsoft Exchange and compromised an estimated 30,000 Exchange servers in the US and as many as 100,000 worldwide. Microsoft said Hafnium, the name for a group operating in China, was behind the attacks. In the days that followed, hackers unaffiliated with Hafnium began infecting the already compromised servers to install a new strain of ransomware. Two other serious breaches have also occurred, one against the creator of the Codecov software developer tool and the other against the vendor of Passwordstate, a password manager used by large organizations to store credentials for firewalls, VPNs and other network-connected devices. to hit. Both breaches are serious, as the hackers can use them to compromise the large number of customers of the companies’ products.
Ivanti said it helps investigate and respond to exploits that the company says have been “discovered on a very limited number of customer systems.”
“The Pulse team has taken prompt action to provide immediate solutions to the limited number of affected customers remediating the risk to their system, and we plan to release a software update within a few days,” a spokesperson added. up to it.