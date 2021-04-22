



US Agencies Compromised By VPN Flaws By Justin KatzApr 21, 2021

A number of federal agencies have been compromised by vulnerabilities discovered in virtual private network software created by Pulse Connect Secure, the Cybersecurity and Infrastructure Security Agency has confirmed.

As of June 2020, federal agencies, critical infrastructure organizations, and private companies have been compromised due to vulnerabilities in certain Ivanti Pulse Connect Secure products, according to an April 20 CISA advisory.

The notice does not specify which agencies may have been affected, but Pulse Secure’s parent company, Ivanti, has contracts with the Pentagon, the Coast Guard, the Nuclear Regulatory Commission, and the Bureau of the Fiscal Service, among others.

In an April 20 blog post, cybersecurity firm FireEye detailed its investigation of 12 malware families, all associated with the exploitation of Pulse Secure VPN devices. The company called the hacking campaigns behind the UNC2630 and UNC2717 attacks. The former is suspected of working for the Chinese government and targeting contractors in the defense industrial base, according to FireEye.

“We observed UNC2630 harvesting credentials from various Pulse Secure VPN connection streams, which ultimately allowed the actor to use legitimate account credentials to move sideways in affected environments,” FireEye wrote.

The company observed UNC2717 using the vulnerabilities against an unspecified “European organization”. FireEye added that he cannot attribute all of the attacks described in his report to the two actors he tagged, adding that it is likely that “additional groups beyond UNC2630 and UNC2717 have adopted one or more of the these tools “.

The campaigns used some known vulnerabilities as well as a previously unknown vulnerability discovered in April 2021, CVE-2021-22893, FireEye noted.

CISA said Ivanti has developed a verification tool and is working on a fix. “CISA strongly encourages organizations using Ivanti Pulse Connect Secure appliances to immediately run the Ivanti Integrity Checker tool, update to the latest software version and check for malicious activity,” the advisory said.

This article first appeared on FCW, a sister site of GCN.

About the Author

Justin Katz covers cybersecurity for FCW. Previously, it covered the Navy and Marine Corps for Home Defense, focusing on weapons, vehicle acquisition, and congressional oversight of the Pentagon. Prior to reporting for Inside Defense, Katz covered community news in the Baltimore and Washington DC areas. Connect with him on Twitter at @JustinSKatz.

