01 May 2021

3rd Zero-Day Cyber Attack > Pulse Secure Connect Integrity Tools Breach /Advanced Persistent Threats

 
Whoa! A sign things are getting worse. The intrusions just keep coming - here's part of the global attacks from Jason Miller,
Pulse Secure Critical Zero-Day Security Bug Under Active Exploit |  Threatpost
"When the Cybersecurity and Infrastructure Security Agency released its third emergency cyber directive in the last five months, agencies were once again on notice to fix yet another critical vulnerability.
Last week’s directive detailed a potential major problem with the virtual private network software from Pulse Secure. CISA gave agencies until April 23 to identify all instances of the software and run the Pulse Connect Secure Integrity Tool. Along with this latest directive, CISA told agencies to patch Microsoft Exchange servers in March and another one for the SolarWinds vulnerability in December.
This type of fire drill is becoming far too common for agencies, and really every business, as the cyber threats seem to be ramping up, particularly against companies with global install bases. . .
“DHS is more effective in recognizing and sharing what the vulnerabilities are and how to fix them. But currently their only course of action right now is the ‘hair on fire’ approach where they push out this directive and rank it high because they don’t know how vulnerable agencies are so they just have to push out because it’s severe and everyone is in this worse-case scenario,”  [John Barnhart]
Cybersecurity and Infrastructure Security Agency в Twitter: "Organizations  using Ivanti Pulse Connect Secure appliances are encouraged to run the  Ivanti Integrity Checker Tool, update to the latest software version, and  investigate for
The problem is not just for the U.S. government but across the entire Internet
 

Pulse Secure VPN zero-day used to hack defense firms, govt orgs

Pulse Secure has shared mitigation measures for a zero-day authentication bypass vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance actively exploited in attacks against worldwide organizations and focused on US Defense Industrial base (DIB) networks.

To mitigate the vulnerability tracked as CVE-2021-22893 (with a maximum 10/10 severity score), Pulse Secure advises customers with gateways running PCS 9.0R3 and higher to upgrade the server software to the 9.1R.11.4 release.

As a workaround, the vulnerability can be mitigated on some gateways by disabling Windows File Share Browser and Pulse Secure Collaboration features using instructions available in the security advisory published earlier today.

Pulse Secure also released the Pulse Connect Secure Integrity Tool to help customers determine if their systems are impacted. Security updates to solve this issue will be released in early May.

 

Pulse Secure VPN zero-day used to hack defense firms, govt orgs

------------------------------------------------------------------------------------------------------------------------------

More

More US agencies potentially hacked, this time with Pulse Secure exploits

Zeroday vulnerability under attack has a severity rating of 10 out of 10.

At least five US federal agencies may have experienced cyberattacks that targeted recently discovered security flaws that give hackers free rein over vulnerable networks, the US Cybersecurity and Infrastructure Security Agency said on Friday.

The vulnerabilities in Pulse Connect Secure, a VPN that employees use to remotely connect to large networks, include one that hackers had been actively exploiting before it was known to Ivanti, the maker of the product. The flaw, which Ivanti disclosed last week, carries a severity rating of 10 out of a possible 10. The authentication bypass vulnerability allows untrusted users to remotely execute malicious code on Pulse Secure hardware, and from there, to gain control of other parts of the network where it's installed. . .

Federal agencies, critical infrastructure, and more

Security firm FireEye said in a report published on the same day as the Ivanti disclosure that hackers linked to China spent months exploiting the critical vulnerability to spy on US defense contractors and financial institutions around the world. Ivanti confirmed in a separate post that the zeroday vulnerability, tracked as CVE-2021-22893, was under active exploit.Advice on Pulse Connect Secure RCE Vulnerability - NCSC.GOV.UK

CISA said it’s aware of compromises of federal agencies, critical infrastructure entities, and private sector organizations dating back to June 2020.

They just keep coming

The targeting of the five agencies is the latest in a string of large-scale cyberattacks to hit sensitive government and business organizations in recent months. In December, researchers uncovered an operation that infected the software build and distribution system of network management tools maker SolarWinds. The hackers used their control to push backdoored updates to about 18,000 customers. Nine government agencies and fewer than 100 private organizations—including Microsoft, antivirus maker Malwarebytes, and Mimecast—received follow-on attacks. In March, hackers exploiting newly discovered vulnerability in Microsoft Exchange compromised an estimated 30,000 Exchange servers in the US and as many as 100,000 worldwide. Microsoft said that Hafnium, its name for a group operating in China, was behind the attacks. In the days that followed, hackers not affiliated by Hafnium began infecting the already-compromised servers to install a new strain of ransomware. Two other serious breaches have also occurred, one against the maker of the Codecov software developer tool and the other against the seller of Passwordstate, a password manager used by large organizations to store credentials for firewalls, VPNs, and other network-connected devices. Both breaches are serious, because the hackers can use them to compromise the large number of customers of the companies' products. . .

The Pulse team took swift action to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system, and we plan to issue a software update within the next few days,” a spokesperson added."

--------------------------------------------------------------------------------------------------------------------------------
More

Five U.S. Agencies May Have Been Hacked Through Ivanti Flaws

The U.S. Department of Homeland Security has determined that flaws in Ivanti Inc.’s products may have allowed hackers to breach at least five federal agencies.

A Different Type of Federal Agency: How DHS's Newest Cybersecurity Agency  Can Help Your Business | Password Protected

The Department’s Cybersecurity and Infrastructure Security Agency, known as CISA, has been working with organizations targeted through vulnerabilities in Ivanti’s Pulse Connect Secure products and required federal civilian agencies to run a tool designed to find them.

“CISA is aware of at least five federal civilian agencies who have run the Pulse Connect Secure Integrity Tool and identified indications of potential unauthorized access,” Matt Hartman, a deputy executive assistant director at CISA, said Thursday in a statement. “We are working with each agency to validate whether an intrusion has occurred and will offer incident response support accordingly.”

Hartman didn’t identify the agencies. Reuters previously reported the suspected breaches in federal agencies. . .

> The U.S. hasn’t attributed the cyber-activity to a specific hacking group. However, the cybersecurity firm FireEye Inc. recently found that hackers -- suspected to be based in China -- were using Pulse Secure virtual private networks to hack into dozens of organizations for apparent espionage purposes, according to Charles Carmakal, a senior vice president and chief technology officer at FireEye, who spoke to Bloomberg News in an interview last week.

> The Chinese Embassy in Washington didn’t immediately respond to a request for comment.

> Organizations targeted by the hackers through Pulse Secure flaws spanned financial services, government and defense contracting in the U.S. and Europe, Carmakal said. Since then, analysts at FireEye have observed additional victims including transportation, energy, professional services and telecommunications organizations.

“This is a pretty big deal from a national security perspective,” Carmakal said in the interview. He said there has been a significant spike in China-linked hacking in the U.S. this year, including widespread attacks that leveraged flaws in Microsoft Corp.’s Exchange software for email.

— With assistance by William Turton

No comments:

QOD: You can dig it