At least five US federal agencies may have experienced cyberattacks that targeted recently discovered security flaws that give hackers free rein over vulnerable networks, the US Cybersecurity and Infrastructure Security Agency said on Friday.
The vulnerabilities in Pulse Connect Secure, a VPN that employees use to remotely connect to large networks, include one that hackers had been actively exploiting before it was known to Ivanti, the maker of the product. The flaw, which Ivanti disclosed last week, carries a severity rating of 10 out of a possible 10. The authentication bypass vulnerability allows untrusted users to remotely execute malicious code on Pulse Secure hardware, and from there, to gain control of other parts of the network where it’s installed.
Federal agencies, critical infrastructure, and more
Security firm FireEye said in a report published on the same day as the Ivanti disclosure that hackers linked to China spent months exploiting the critical vulnerability to spy on US defense contractors and financial institutions around the world. Ivanti confirmed in a separate post that the zeroday vulnerability, tracked as CVE-2021-22893, was under active exploit.
In March, following the disclosure of several other vulnerabilities that have now been patched, Ivanti released the Pulse Secure Connect Integrity Tool, which streamlines the process of checking whether vulnerable Pulse Secure devices have been compromised. Following last week’s disclosure that CVE-2021-2021-22893 was under active exploit, CISA mandated that all federal agencies run the tool
“CISA is aware of at least five federal civilian agencies who have run the Pulse Connect Secure Integrity Tool and identified indications of potential unauthorized access,” Matt Hartman, deputy executive assistant director at CISA, wrote in an emailed statement. “We are working with each agency to validate whether an intrusion has occurred and will offer incident response support accordingly.”
CISA said it’s aware of compromises of federal agencies, critical infrastructure entities, and private sector organizations dating back to June 2020.
They just keep coming
The targeting of the five agencies is the latest in a string of large-scale cyberattacks to hit sensitive government and business organizations in recent months. In December, researchers uncovered an operation that infected the software build and distribution system of network management tools maker SolarWinds. The hackers used their control to push backdoored updates to about 18,000 customers. Nine government agencies and fewer than 100 private organizations—including Microsoft, antivirus maker Malwarebytes, and Mimecast—received follow-on attacks.
In March, hackers exploiting newly discovered vulnerability in Microsoft Exchange compromised an estimated 30,000 Exchange servers in the US and as many as 100,000 worldwide.
Microsoft said that Hafnium, its name for a group operating in China, was behind the attacks. In the days that followed, hackers not affiliated by Hafnium began infecting the already-compromised servers to install a new strain of ransomware.
Two other serious breaches have also occurred, one against the maker of the Codecov software developer tool and the other against the seller of Passwordstate, a password manager used by large organizations to store credentials for firewalls, VPNs, and other network-connected devices. Both breaches are serious, because the hackers can use them to compromise the large number of customers of the companies’ products.
Ivanti said it’s helping to investigate and respond to exploits, which the company said have been “discovered on a very limited number of customer systems.”
“The Pulse team took swift action to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system, and we plan to issue a software update within the next few days,” a spokesperson added.