27 with 24 posters participating
Hackers backed by nation-states are exploiting critical vulnerabilities in the Pulse Secure VPN to bypass two-factor authentication protections and gain stealthy access to networks belonging to a raft of organizations in the US Defense industry and elsewhere, researchers said.
At least one of the security flaws is a zero-day, meaning it was unknown to Pulse Secure developers and most of the research world when hackers began actively exploiting it, security firm Mandiant said in a blog post published Tuesday. Besides CVE-2021-22893, as the zero-day is tracked, multiple hacking groups—at least one of which likely works on behalf of the Chinese government—are also exploiting several Pulse Secure vulnerabilities fixed in 2019 and 2020.
“Mandiant is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices,” researchers Dan Perez, Sarah Jones, Greg Wood, and Stephen Eckels wrote. “These families are related to the circumvention of authentication and backdoor access to these devices, but they are not necessarily related to each other and have been observed in separate investigations. It is likely that multiple actors are responsible for the creation and deployment of these various code families.”
Used alone or in concert, the security flaws allow the hackers to bypass both single-factor and multifactor authentication protecting the VPN devices. From there, the hackers can install malware that persists across software upgrades and maintain access through webshells, which are browser-based interfaces that allow hackers to remotely control infected devices.
Multiple intrusions over the past six months have hit defense, government, and financial organizations around the world, Tuesday’s post reported. Separately, the US Cybersecurity and Infrastructure Security Agency said that targets also include US government agencies, critical infrastructure entities, and other private sector organizations.”
come under active attack by hackers and likely led to the successful ransomware attack on Travelex, the foreign currency exchange and travel insurance company that neglected to install the patches.
The Mandiant advisory is concerning because it suggests that organizations in highly sensitive areas still haven’t applied the fixes. Also concerning is the revelation of a Pulse Secure zero-day that is under wide attack.
Pulse Secure on Tuesday published an advisory instructing users how to mitigate the currently unpatched security bug. The Mandiant blog post contains a wealth of technical indicators that organizations can use to determine if their networks have been targeted by the exploits.
Any organization that’s using Pulse Secure anywhere in its network should prioritize reading and following the recommendations from both Mandiant and Pulse Secure.