At least five US federal agencies may have witnessed cyberattacks targeting recently discovered vulnerabilities that hackers have given free rein, the US agency for cybersecurity and infrastructure security said on Friday.
One of the vulnerabilities in Pulse Connect Secure, a VPN that employees use to remotely connect to large networks, is one that hackers actively exploited before it became known to Ivanti, the manufacturer of the product. The bug Ivanti announced last week has a severity of 10 out of 10. The authentication bypass vulnerability allows untrusted users to remotely execute malicious code on Pulse Secure hardware and from there take control of other parts of the network on which it is installed.
Federal agencies, critical infrastructure, and more
Security firm FireEye said in a report released on the same day as Ivanti’s release that hackers associated with China have spent months spying on the critical vulnerability affecting U.S. defense companies and financial institutions around the world to spy on. Ivanti confirmed in a separate post that the zero-day vulnerability tracked as CVE-2021-22893 was actively exploited.
In March, after disclosing several other vulnerabilities that have now been patched, Ivanti released the Pulse Secure Connect Integrity Tool, which makes it easier to verify the vulnerability of Pulse Secure devices at risk. After announcing last week that CVE-2021-2021-22893 was being actively used, CISA mandated that all federal agencies run the tool
“CISA is known to have at least five federal civil agencies that have run the Pulse Connect Secure Integrity Tool and have identified evidence of possible unauthorized access,” wrote Matt Hartman, CISA vice executive director, in a statement it emailed. “We work with each agency to determine if an intervention has occurred and provide incident response support accordingly.”
CISA is aware of the June 2020 tradeoffs made by federal agencies, critical infrastructure companies, and private sector organizations.
You just get on
The target of the five agencies is the latest in a series of large-scale cyberattacks that have hit sensitive government and corporate organizations in recent months. In December, researchers discovered an operation that infected the software build and distribution system of network management tool maker SolarWinds. The hackers used their control to forward backdoor updates to around 18,000 customers. Nine government agencies and fewer than 100 private organizations – including Microsoft, antivirus maker Malwarebytes, and Mimecast – received follow-up attacks. In March, hackers exploiting the newly discovered vulnerability in Microsoft Exchange compromised an estimated 30,000 Exchange servers in the US and up to 100,000 worldwide. Microsoft said that Hafnium, the name for a group operating in China, was behind the attacks. In the days that followed, non-hafnium hackers began infecting the already compromised servers in order to install a new type of ransomware. Two other serious violations have also occurred, one against the maker of the Codecov software developer tool and the other against the vendor of Passwordstate, a password manager used by large organizations to store credentials for firewalls, VPNs, and others on the network connected devices is used. Both violations are serious as they allow the hackers to compromise the large number of customers of the company’s products.
Ivanti said it helps investigate and respond to exploits that the company said were “discovered on a very limited number of customer systems.”
“The Pulse team took quick action to directly mitigate the limited number of affected customers and reduce the risk to their system. We plan to release a software update in the next few days,” added a spokesman.