Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Technology

Hackers Are Exploiting a Pulse Secure 0-Day To Breach Orgs Around the World (arstechnica.com) 31

An anonymous reader quotes a report from Ars Technica: Hackers backed by nation-states are exploiting critical vulnerabilities in the Pulse Secure VPN to bypass two-factor authentication protections and gain stealthy access to networks belonging to a raft of organizations in the US Defense industry and elsewhere, researchers said. At least one of the security flaws is a zero-day, meaning it was unknown to Pulse Secure developers and most of the research world when hackers began actively exploiting it, security firm Mandiant said in a blog post published Tuesday. Besides CVE-2021-22893, as the zero-day is tracked, multiple hacking groups -- at least one of which likely works on behalf of the Chinese government -- are also exploiting several Pulse Secure vulnerabilities fixed in 2019 and 2020.

Used alone or in concert, the security flaws allow the hackers to bypass both single-factor and multifactor authentication protecting the VPN devices. From there, the hackers can install malware that persists across software upgrades and maintain access through webshells, which are browser-based interfaces that allow hackers to remotely control infected devices. Multiple intrusions over the past six months have hit defense, government, and financial organizations around the world, Tuesday's post reported. Separately, the US Cybersecurity and Infrastructure Security Agency said that targets also include US government agencies, critical infrastructure entities, and other private sector organizations." Mandiant said that it has uncovered "limited evidence" that tied one of the hacker groups to the Chinese government. Dubbed UNC2630, this previously unknown team is one of at least two hacking groups known to be actively exploiting the vulnerabilities. Tuesday's blog post also referred to another previously unseen group that Mandiant is calling UNC2717. In March, the group used malware Mandiant identifies as RADIALPULSE, PULSEJUMP, and HARDPULSE against Pulse Secure systems at a European organization.
Pulse Secure on Tuesday published an advisory instructing users how to mitigate the currently unpatched security bug.
This discussion has been archived. No new comments can be posted.

Hackers Are Exploiting a Pulse Secure 0-Day To Breach Orgs Around the World

Comments Filter:
  • The US government has a bunch of regulations for computer systems that it uses for itself and for contractors too. The regulations include things like FIPS *certified* implementations, you can have a system that meets the requirements perfectly but isn't certified and it won't do. You end up being forced to chose between a handful of vendors that sell a certified version - and every fucking one them is subject to crap like this. Just let me use the open source that meets the requirements, where I control th

    • Meets the requirements sounds like certification. Open-source or not.

    • One other government requirement is fitness for use, and value for money. And things bought, should be evaluated. If none are suitable, an exception can always be obtained. I remember govt's rolling out EAL certified products - and looking backwards (thinking of Cisco) it was a giant farce.They do not want to be reminded about this horrible history. The 2020 mantra is to dumb down ICT generally, and reduce decisions to 'Just reboot'. Do not hire expensive knowledgeable techos. If that don't work, they mumbl
  • PoS VPN (Score:4, Informative)

    by flyingfsck ( 986395 ) on Tuesday April 20, 2021 @05:56PM (#61295564)
    IMHO Pulse Secure is a real PoS VPN that frequently doesn't want to work. So if people would now stop using this junkware, the world would be a better place.
    • IMHO Pulse Secure is a real PoS VPN that frequently doesn't want to work. So if people would now stop using this junkware, the world would be a better place.

      What's a better alternative? I'm not in networking but I'm curious what are the robust and secure VPNs out there that people like (for reasons including but not limited to staying out o the news for vulnerabilities).

      • > what are the robust and secure VPNs out there

        Wireguard if you can. OpenVPN if you can't.

      • Get an AWS instance, and run your own vpn using OpenSwan. It's cheap and you don't have to trust anyone.

      • Butting in here, been using perfect-privacy for a few years and haven't seen any red flags yet. On the expensive side but pretty stable.

        In the big picture it depends on what you're using a VPN for. If it's for super secret stuff that would put your life in danger then no commercial VPN should be trusted. But if it's just to get some obfuscation into your browsing life, then a higher tier provider like them works pretty well.

        And a nice plus is that most have adblocking built into the connection now too so

        • Butting in here, been using perfect-privacy for a few years and haven't seen any red flags yet. On the expensive side but pretty stable.

          In the big picture it depends on what you're using a VPN for. If it's for super secret stuff that would put your life in danger then no commercial VPN should be trusted. But if it's just to get some obfuscation into your browsing life, then a higher tier provider like them works pretty well.

          And a nice plus is that most have adblocking built into the connection now too so you don't need to roll your own pihole. Add in a fingerprint blocking extension or two and it all combines into a decent prophylactic measure against scum like Facebook and the ad networks.

          Pulse Secure is an enterprise VPN used for connecting to a corporate network, rather than a the kind of VPN you would subscribe to to anonymize your IP.

          • by tlhIngan ( 30335 )

            Pulse Secure is an enterprise VPN used for connecting to a corporate network, rather than a the kind of VPN you would subscribe to to anonymize your IP.

            Exactly. And a hidden requirement is often the need to do tacky things like work through restrictive firewalls. I believe Pulse Secure has an SSL mode where it will use port 443 in an HTTPS like startup protocol, which would get through a lot of corporate firewalls that only allow 80/443 and even some proxies.

            It's not ideal, because TCP over TCP sucks balls,

    • by EvilSS ( 557649 )
      And they are owned by Ivanti. Why am I not surprised.
    • Worked fine for many I know. Fortunately for them, most of the IT staff was already moving to something else due to licensing costs.

      Irony. They were saved from a 0 day exploit because it was too expensive compared to competitors....
  • by Anonymous Coward

    "Hey, just wanted to let you know that if anyone logged in with my credentials from China, it wasn't me."

    The look on his face was worth it.

  • bad day to be an org....

    what ever that is...

  • by tomz16 ( 992375 ) on Tuesday April 20, 2021 @06:32PM (#61295702)

    Well yeah, no shit, stop using 2-factor auth as a crutch for fundamentally broken systems. It's a dumb panacea for dumb people. At best the whole shitty house of cards always inevitably falls down when the first factor falls. At worst the second factor is an attack vector for the other factor (e.g. 1-factor based password resets). We've seen both repeatedly.

    If it's important enough that a foreign nation-state wants in, then it's important enough to have your own PKI infrastructure with actual cryptographic certs distributed to users on secure compute elements (e.g. smartcards, TPM's whatevs).

    You see the part in the linked diagram where there's an ldap password comparison during login? stop... that... bullshit!

    • We live in a world where many startup websites allow you to log in to any account with a blank password.

      People test their code in the happy path, but don't look far beyond that.

  • Is that why my company disabled 2FA 1 week after turning it on ? I thought some high level Mangs. complainged too much.

"It's like deja vu all over again." -- Yogi Berra

Working...