Suspected Chinese hackers took advantage of Pulse Secure VPN to endanger ‘dozens’ of agencies and companies in the US and Europe

by

The alarming report reveals how hackers have repeatedly exploited several known flaws and a newly discovered vulnerability in Pulse Secure VPN, a widely used remote connectivity tool, to gain access to dozens of organizations in the industrial defense sector.

Tuesday’s revelations represent the latest cybersecurity crisis to hit the US, following the SolarWinds intrusion campaign by Russia’s foreign intelligence agency and a series of server software exploits Microsoft has attributed to Chinese state-sponsored hackers.
The U.S. Department of Homeland Security confirmed the breaches in its own public advisory Tuesday, urging network administrators to use a special tool designed to scan for signs of compromise and install a stopgap solution that has been published by Ivanti, the owner of Pulse Secure.

The attackers who exploited Pulse Secure are extremely sophisticated, using their access to steal account credentials and other sensitive data from victim organizations, said Charles Carmakal, FireEye’s senior vice president.

“These players are highly skilled and have deep technical knowledge of the Pulse Secure product,” said Carmakal.

According to the FireEye report, some of the break-ins using the vulnerabilities started as early as August last year. The group carrying out these attacks may be working for the Chinese government, the report said, and Carmakal added that “there are some similarities between parts of this activity and a Chinese actor we call APT5.”

Other actors have also exploited the vulnerabilities, although FireEye said it is unclear whether they may be related to a particular government.

Hunting the Hunters: How Russian Hackers Attacked US Cyber-First Responders in the SolarWinds Breach
In a blog post, Pulse Secure said the newly discovered flaw affects a “very limited number of customers” and that a more permanent software update will be released in early May to address that vulnerability. Software patches already exist for the other vulnerabilities.

“The Pulse Connect Secure (PCS) team is in contact with a limited number of customers who have experienced evidence of exploit behavior on their PCS devices,” said Pulse Secure. “The PCS team has provided direct troubleshooting assistance to these customers.”

It added, “Customers are also encouraged to apply and use the efficient and easy-to-use Pulse Secure Integrity Checker Tool to identify unusual activity on their system.”

DHS’s Cybersecurity and Infrastructure Security Agency said it has assisted “multiple entities” since March 31, whose vulnerable products have been exploited by a cyber threat actor.

“CISA has worked closely with Ivanti, Inc. to better understand the vulnerability in Pulse Secure VPN devices and mitigate potential risks to federal civil and private networks,” Nicky Vogt, an agency spokesman, said Tuesday. “We will continue to provide guidance and recommendations to support potentially affected organizations.”

.Source