US Government Probes VPN Hack Within Federal Agencies, Races To Find Clues (reuters.com) 12
For at least the third time since the beginning of this year, the U.S. government is investigating a hack against federal agencies that began during the Trump administration but was only recently discovered, according to senior U.S. officials and private sector cyber defenders. Reuters reports: The new government breaches involve a popular virtual private network (VPN) known as Pulse Connect Secure, which hackers were able to break into as customers used it. More than a dozen federal agencies run Pulse Secure on their networks, according to public contract records. An emergency cybersecurity directive last week demanded that agencies scan their systems for related compromises and report back.
The results, collected on Friday and analyzed this week, show evidence of potential breaches in at least five federal civilian agencies, said Matt Hartman, a senior official with the U.S. Cybersecurity Infrastructure Security Agency. "This is a combination of traditional espionage with some element of economic theft," said one cybersecurity consultant familiar with the matter. "We've already confirmed data exfiltration across numerous environments." The maker of Pulse Secure, Utah-based software company Ivanti, said it expected to provide a patch to fix the problem by this Monday, two weeks after it was first publicized. Only a "very limited number of customer systems" had been penetrated, it added.
Over the last two months, CISA and the FBI have been working with Pulse Secure and victims of the hack to kick out the intruders and uncover other evidence, said another senior U.S. official who declined to be named but is responding to the hacks. The FBI, Justice Department and National Security Agency declined to comment. The U.S. government's investigation into the Pulse Secure activity is still in its early stages, said the senior U.S. official, who added the scope, impact and attribution remain unclear. Security researchers at U.S. cybersecurity firm FireEye and another firm, which declined to be named, say they've watched multiple hacking groups, including an elite team they associate with China, exploiting the new flaw and several others like it since 2019.
The results, collected on Friday and analyzed this week, show evidence of potential breaches in at least five federal civilian agencies, said Matt Hartman, a senior official with the U.S. Cybersecurity Infrastructure Security Agency. "This is a combination of traditional espionage with some element of economic theft," said one cybersecurity consultant familiar with the matter. "We've already confirmed data exfiltration across numerous environments." The maker of Pulse Secure, Utah-based software company Ivanti, said it expected to provide a patch to fix the problem by this Monday, two weeks after it was first publicized. Only a "very limited number of customer systems" had been penetrated, it added.
Over the last two months, CISA and the FBI have been working with Pulse Secure and victims of the hack to kick out the intruders and uncover other evidence, said another senior U.S. official who declined to be named but is responding to the hacks. The FBI, Justice Department and National Security Agency declined to comment. The U.S. government's investigation into the Pulse Secure activity is still in its early stages, said the senior U.S. official, who added the scope, impact and attribution remain unclear. Security researchers at U.S. cybersecurity firm FireEye and another firm, which declined to be named, say they've watched multiple hacking groups, including an elite team they associate with China, exploiting the new flaw and several others like it since 2019.
More detailed aritcle at Ars (Score:3, Interesting)
Ars Technica has a more technical article about this authentication bypass. [arstechnica.com]
Pulse Connect has a history of vulnerabilities over the last few years. [tenable.com]
OpenVPN auth bypass just patched too (Score:1)
I'm surprised that OpenVPN authentication bypass vulnerability CVE-2020-15078 [openvpn.net], patched in April 2021 [openvpn.net], hasn't gotten more attention.
The problem allows unauthorized logins to servers using deferred authentication (like with user auth tokens). It is fixed in OpenVPN 2.4.11 and 2.5.2.
Pulse Secure uses OpenVPN in some of its software so I wonder if this is related.
OpenVPN characterizes the vulnerability as high to critical [openvpn.net] but does not publish a CVSS score [nist.gov] and underplays the bug with the title "partial informati [openvpn.net]
Pulse Connect Secure, huh? (Score:1)
Monero (Score:1)
For the record - I sold all my crypto holdings in January. I just think the
Security it's a Cost (Score:3, Insightful)
Yet another security firm, selling security at a profit and that profit is based on not providing security and charging like you do, PROFIT. This is yet another corruptly presented story. Pulse Secure failed in security and well, looking to blame Russia and China as an excuse for lax security, it is all the rage. Charge for security, get caught not providing security, as in get hacked, blame Russia and China and continue to pretend to sell security, charge for it without providing it.
Re:Security it's a Cost (Score:4, Insightful)
No one is blaming Russia or China for the Pulse Security screw up, that they are actively taking advantage of security screwups is widely recognized, at least by people not trying to deflect blame from them. Yours is the usual brain dead post-modern argument: don't blame X for being dicks, blame the dicked. That argument is akin to blaming women's attire for rape.
Look, biased reporting! (Score:1)