Hackers possibly backed by China have been exploiting flaws in Pulse Secure’s virtual private network (VPN) in recent months to spy on organizations linked to the United States defense industry. The alert was given on Tuesday (20) by the controller of the tool.
According to the company Ivanti, cybercriminals used an unknown zero-day vulnerability in VPN devices in their Pulse Connect Secure package to hack into a “very limited number of customers”.
According to the US Cyber Security and Infrastructure Agency, cyber attacks, which have also exploited other flaws in the tool, targeted the country’s government agencies, critical infrastructure entities and also defense-related private sector organizations.
Details about the authors of the campaign were not disclosed by Ivanti. However, cybersecurity company Mandiant, which tracked the attacks, said it had found evidence that at least one of the attacker groups, called UNC2630, was linked to the Chinese government.
In search of classified information
According to Mandiant, Pulse Secure’s VPN security flaws allow hackers to circumvent single-factor, multi-factor authentication systems that protect devices on the virtual private network. Thus, they install update-resistant malware and web shells on the machines.
These malicious files make it possible to access devices remotely to steal legitimate access credentials (username and password) from the attacked organizations, opening the doors of companies’ systems wide open, giving full access to criminals.
The company said it had tracked at least 12 families of malware exploiting Pulse Secure devices from the vulnerability called CVE-2021-22893, discovered this month and which affected a small number of customers, according to Ivanti.
However, the previously discovered and corrected flaws, called CVE-2019-11510, CVE-2020-8243 and CVE-2020-8260, may also be being exploited again, including by other hacker groups, impacting defense, financial organizations and governments of more countries that use the company’s VPN.
Actions to mitigate risks
To reduce the impacts caused by the recently discovered zero-day failure, Ivanti contacted the organizations affected by the attack to advise them on how to mitigate the risks.
Among the guidelines, is the indication of the use of the Pulse Security Integrity Checker tool, capable of identifying any unusual activities in the system. The company also said it has been working on a definitive solution to the problem, which is expected to be available in early May.
As for the other loopholes also explored, the company recommended users of the tool to review all the guidelines previously made available and to check the security patches already released to correct them, in addition to changing all device passwords, in case of any impact.