Intruders exploit Pulse Secure Virtual Private Networks (VPNs) to assault defense and financial sectors
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive, urging federal agencies to take immediate action to mitigate exposure to vulnerabilities in Pulse Connect Secure devices. This directive comes in response to a series of cyber attacks that have been linked to four specific vulnerabilities: CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and a newly discovered vulnerability, CVE-2021-22893.
These attacks, which date back to 2019, have been targeting the U.S. defense industry, financial organizations, and overseas targets, including Europe. The threat actor is known to compromise fully patched systems, having done so at a limited number of high value targets.
The attacks on Pulse Secure VPN devices are particularly dangerous as they allow the attackers to bypass authentication, multifactor authentication, password logging, and persistence through patching. This means that even systems with strong security measures in place can be compromised.
Researchers at Mandiant are currently tracking 12 malware families linked to these attacks. Stephen Eckels, a reverse engineer at Mandiant, has confirmed the attacks via email.
Many organizations, including those in various sectors that rely on Pulse Secure devices for virtual private network (VPN) access, are potentially affected by these attacks. The Department of Defense is currently assessing the potential impact to the Defense Information Network and taking steps to protect the data, network, and systems.
CISA has urged all organizations running Pulse Secure devices to follow the steps outlined in the CISA Activity Alert and Emergency Directive. This includes identifying potential intrusions and running the Integrity Checker. Users are also encouraged to report any hash mismatches or newly detected files to the vendor and to CISA to help understand the extent of exposure in both the private and public sectors.
Officials at Ivanti, the parent company of Pulse Secure, have been working with customers on the latest series of attacks. Earlier this month, the FBI and CISA issued a warning about APT groups targeting Fortinet VPN devices, marking another instance of threat activities linked to VPN vulnerabilities.
As the cyber threat landscape continues to evolve, it is crucial for corporate stakeholders to better understand the risk calculus of their technology stacks. The lingering question remains: Are we a target? While the answer may not be straightforward, taking proactive measures such as those outlined by CISA can help mitigate the risk of a cyber attack.
%20to%20assault%20defense%20and%20financial%20sectors){kind=link}