Pulse Secure VPN zero-day used to hack defense firms, govt orgs
Pulse Secure has shared mitigation measures for a zero-day authentication bypass vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance actively exploited in attacks against worldwide organizations and focused on US Defense Industrial base (DIB) networks.
To mitigate the vulnerability tracked as CVE-2021-22893 (with a maximum 10/10 severity score), Pulse Secure advises customers with gateways running PCS 9.0R3 and higher to upgrade the server software to the 9.1R.11.4 release.
As a workaround, the vulnerability can be mitigated on some gateways by disabling Windows File Share Browser and Pulse Secure Collaboration features using instructions available in the security advisory published earlier today.
Pulse Secure also released the Pulse Connect Secure Integrity Tool to help customers determine if their systems are impacted. Security updates to solve this issue will be released in early May.
------------------------------------------------------------------------------------------------------------------------------
More US agencies potentially hacked, this time with Pulse Secure exploits
Zeroday vulnerability under attack has a severity rating of 10 out of 10.
At least five US federal agencies may have experienced cyberattacks that targeted recently discovered security flaws that give hackers free rein over vulnerable networks, the US Cybersecurity and Infrastructure Security Agency said on Friday.
The vulnerabilities in Pulse Connect Secure, a VPN that employees use to remotely connect to large networks, include one that hackers had been actively exploiting before it was known to Ivanti, the maker of the product. The flaw, which Ivanti disclosed last week, carries a severity rating of 10 out of a possible 10. The authentication bypass vulnerability allows untrusted users to remotely execute malicious code on Pulse Secure hardware, and from there, to gain control of other parts of the network where it's installed. . .
Federal agencies, critical infrastructure, and more
Security firm FireEye said in a report published on the same day as the Ivanti disclosure that hackers linked to China spent months exploiting the critical vulnerability to spy on US defense contractors and financial institutions around the world. Ivanti confirmed in a separate post that the zeroday vulnerability, tracked as CVE-2021-22893, was under active exploit.
CISA said it’s aware of compromises of federal agencies, critical infrastructure entities, and private sector organizations dating back to June 2020.
They just keep coming
The targeting of the five agencies is the latest in a string of large-scale cyberattacks to hit sensitive government and business organizations in recent months. In December, researchers uncovered an operation that infected the software build and distribution system of network management tools maker SolarWinds. The hackers used their control to push backdoored updates to about 18,000 customers. Nine government agencies and fewer than 100 private organizations—including Microsoft, antivirus maker Malwarebytes, and Mimecast—received follow-on attacks. In March, hackers exploiting newly discovered vulnerability in Microsoft Exchange compromised an estimated 30,000 Exchange servers in the US and as many as 100,000 worldwide. Microsoft said that Hafnium, its name for a group operating in China, was behind the attacks. In the days that followed, hackers not affiliated by Hafnium began infecting the already-compromised servers to install a new strain of ransomware. Two other serious breaches have also occurred, one against the maker of the Codecov software developer tool and the other against the seller of Passwordstate, a password manager used by large organizations to store credentials for firewalls, VPNs, and other network-connected devices. Both breaches are serious, because the hackers can use them to compromise the large number of customers of the companies' products. . .
“The Pulse team took swift action to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system, and we plan to issue a software update within the next few days,” a spokesperson added."
--------------------------------------------------------------------------------------------------------------------------------
More
Five U.S. Agencies May Have Been Hacked Through Ivanti Flaws
The U.S. Department of Homeland Security has determined that flaws in Ivanti Inc.’s products may have allowed hackers to breach at least five federal agencies.
The Department’s Cybersecurity and Infrastructure Security Agency, known as CISA, has been working with organizations targeted through vulnerabilities in Ivanti’s Pulse Connect Secure products and required federal civilian agencies to run a tool designed to find them.
“CISA is aware of at least five federal civilian agencies who have run the Pulse Connect Secure Integrity Tool and identified indications of potential unauthorized access,” Matt Hartman, a deputy executive assistant director at CISA, said Thursday in a statement. “We are working with each agency to validate whether an intrusion has occurred and will offer incident response support accordingly.”
Hartman didn’t identify the agencies. Reuters previously reported the suspected breaches in federal agencies. . .
> The U.S. hasn’t attributed the cyber-activity to a specific hacking group. However, the cybersecurity firm FireEye Inc. recently found that hackers -- suspected to be based in China -- were using Pulse Secure virtual private networks to hack into dozens of organizations for apparent espionage purposes, according to Charles Carmakal, a senior vice president and chief technology officer at FireEye, who spoke to Bloomberg News in an interview last week.
> The Chinese Embassy in Washington didn’t immediately respond to a request for comment.
> Organizations targeted by the hackers through Pulse Secure flaws spanned financial services, government and defense contracting in the U.S. and Europe, Carmakal said. Since then, analysts at FireEye have observed additional victims including transportation, energy, professional services and telecommunications organizations.
“This is a pretty big deal from a national security perspective,” Carmakal said in the interview. He said there has been a significant spike in China-linked hacking in the U.S. this year, including widespread attacks that leveraged flaws in Microsoft Corp.’s Exchange software for email.
— With assistance by William Turton
No comments:
Post a Comment