U.S. agencies compromised by VPN flaws
- By Justin Katz
- Apr 21, 2021
A number of federal agencies were compromised through vulnerabilities found in virtual private networking software made by Pulse Connect Secure, the Cybersecurity and Infrastructure Security Agency confirmed.
Beginning in June 2020, federal agencies, critical infrastructure organizations and private companies were compromised as a result of vulnerabilities in certain Ivanti Pulse Connect Secure products, according to an April 20 CISA advisory.
The advisory does not specify which agencies may have been affected, but Pulse Secure's parent company Ivanti holds contracts with the Pentagon, the Coast Guard, the Nuclear Regulatory Commission and the Bureau of the Fiscal Service, among others.
In an April 20 blog post, cybersecurity firm FireEye detailed its investigation into 12 malware families all associated with exploiting Pulse Secure VPN devices. The company labeled the hacking campaigns behind the attacks as UNC2630 and UNC2717. The former is suspected to be working on behalf of the Chinese government and targeting defense industrial base contractors, according to FireEye.
"We observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments," FireEye wrote.
The company observed UNC2717 using the vulnerabilities against an unspecified "European organization." FireEye added that it cannot attribute all the attacks described in its report to the two actors it labeled, adding that it is likely "additional groups beyond UNC2630 and UNC2717 have adopted one or more of these tools."
The campaigns used some known vulnerabilities as well as one previously unknown one discovered in April 2021, CVE-2021-22893, FireEye noted.
CISA said that Ivanti has developed a checker tool and is working on a patch. "CISA strongly encourages organizations using Ivanti Pulse Connect Secure appliances to immediately run the Ivanti Integrity Checker Tool, update to the latest software version, and investigate for malicious activity," according to the advisory.
This article was first posted to FCW, a sibling site to GCN.
Justin Katz covers cybersecurity for FCW. Previously he covered the Navy and Marine Corps for Inside Defense, focusing on weapons, vehicle acquisition and congressional oversight of the Pentagon. Prior to reporting for Inside Defense, Katz covered community news in the Baltimore and Washington D.C. areas. Connect with him on Twitter at @JustinSKatz.