Hackers Are Exploiting a Pulse Secure 0-Day To Breach Orgs Around the World (arstechnica.com) 31
An anonymous reader quotes a report from Ars Technica: Hackers backed by nation-states are exploiting critical vulnerabilities in the Pulse Secure VPN to bypass two-factor authentication protections and gain stealthy access to networks belonging to a raft of organizations in the US Defense industry and elsewhere, researchers said. At least one of the security flaws is a zero-day, meaning it was unknown to Pulse Secure developers and most of the research world when hackers began actively exploiting it, security firm Mandiant said in a blog post published Tuesday. Besides CVE-2021-22893, as the zero-day is tracked, multiple hacking groups -- at least one of which likely works on behalf of the Chinese government -- are also exploiting several Pulse Secure vulnerabilities fixed in 2019 and 2020.
Used alone or in concert, the security flaws allow the hackers to bypass both single-factor and multifactor authentication protecting the VPN devices. From there, the hackers can install malware that persists across software upgrades and maintain access through webshells, which are browser-based interfaces that allow hackers to remotely control infected devices. Multiple intrusions over the past six months have hit defense, government, and financial organizations around the world, Tuesday's post reported. Separately, the US Cybersecurity and Infrastructure Security Agency said that targets also include US government agencies, critical infrastructure entities, and other private sector organizations." Mandiant said that it has uncovered "limited evidence" that tied one of the hacker groups to the Chinese government. Dubbed UNC2630, this previously unknown team is one of at least two hacking groups known to be actively exploiting the vulnerabilities. Tuesday's blog post also referred to another previously unseen group that Mandiant is calling UNC2717. In March, the group used malware Mandiant identifies as RADIALPULSE, PULSEJUMP, and HARDPULSE against Pulse Secure systems at a European organization. Pulse Secure on Tuesday published an advisory instructing users how to mitigate the currently unpatched security bug.
Used alone or in concert, the security flaws allow the hackers to bypass both single-factor and multifactor authentication protecting the VPN devices. From there, the hackers can install malware that persists across software upgrades and maintain access through webshells, which are browser-based interfaces that allow hackers to remotely control infected devices. Multiple intrusions over the past six months have hit defense, government, and financial organizations around the world, Tuesday's post reported. Separately, the US Cybersecurity and Infrastructure Security Agency said that targets also include US government agencies, critical infrastructure entities, and other private sector organizations." Mandiant said that it has uncovered "limited evidence" that tied one of the hacker groups to the Chinese government. Dubbed UNC2630, this previously unknown team is one of at least two hacking groups known to be actively exploiting the vulnerabilities. Tuesday's blog post also referred to another previously unseen group that Mandiant is calling UNC2717. In March, the group used malware Mandiant identifies as RADIALPULSE, PULSEJUMP, and HARDPULSE against Pulse Secure systems at a European organization. Pulse Secure on Tuesday published an advisory instructing users how to mitigate the currently unpatched security bug.
government regulations (Score:1)
The US government has a bunch of regulations for computer systems that it uses for itself and for contractors too. The regulations include things like FIPS *certified* implementations, you can have a system that meets the requirements perfectly but isn't certified and it won't do. You end up being forced to chose between a handful of vendors that sell a certified version - and every fucking one them is subject to crap like this. Just let me use the open source that meets the requirements, where I control th
Re: (Score:2)
I'm talking about using the same algorithms but an open source implementation that didn't go through a costly certification. I'm not talking about roll your own. If you require AES-256-GCM then great, if you require that be the only available one then great. I'm already required to have policies, documentation, logs, separation of duties, auditing - but you can't trust me to set this one thing correctly and use a quality implementation. Having a single set-in-stone certified configuration is a recipe for s
Re: (Score:2)
Meets the requirements sounds like certification. Open-source or not.
Re: (Score:2)
PoS VPN (Score:4, Informative)
Re: (Score:3)
IMHO Pulse Secure is a real PoS VPN that frequently doesn't want to work. So if people would now stop using this junkware, the world would be a better place.
What's a better alternative? I'm not in networking but I'm curious what are the robust and secure VPNs out there that people like (for reasons including but not limited to staying out o the news for vulnerabilities).
Re: (Score:2)
> what are the robust and secure VPNs out there
Wireguard if you can. OpenVPN if you can't.
Re: (Score:3)
Get an AWS instance, and run your own vpn using OpenSwan. It's cheap and you don't have to trust anyone.
Re: (Score:2)
Butting in here, been using perfect-privacy for a few years and haven't seen any red flags yet. On the expensive side but pretty stable.
In the big picture it depends on what you're using a VPN for. If it's for super secret stuff that would put your life in danger then no commercial VPN should be trusted. But if it's just to get some obfuscation into your browsing life, then a higher tier provider like them works pretty well.
And a nice plus is that most have adblocking built into the connection now too so
Re: (Score:2)
Butting in here, been using perfect-privacy for a few years and haven't seen any red flags yet. On the expensive side but pretty stable.
In the big picture it depends on what you're using a VPN for. If it's for super secret stuff that would put your life in danger then no commercial VPN should be trusted. But if it's just to get some obfuscation into your browsing life, then a higher tier provider like them works pretty well.
And a nice plus is that most have adblocking built into the connection now too so you don't need to roll your own pihole. Add in a fingerprint blocking extension or two and it all combines into a decent prophylactic measure against scum like Facebook and the ad networks.
Pulse Secure is an enterprise VPN used for connecting to a corporate network, rather than a the kind of VPN you would subscribe to to anonymize your IP.
Re: (Score:2)
Exactly. And a hidden requirement is often the need to do tacky things like work through restrictive firewalls. I believe Pulse Secure has an SSL mode where it will use port 443 in an HTTPS like startup protocol, which would get through a lot of corporate firewalls that only allow 80/443 and even some proxies.
It's not ideal, because TCP over TCP sucks balls,
Re: (Score:2)
Re: (Score:2)
Irony. They were saved from a 0 day exploit because it was too expensive compared to competitors....
Tweaking the InfoSec guy at work (Score:1)
"Hey, just wanted to let you know that if anyone logged in with my credentials from China, it wasn't me."
The look on his face was worth it.
bad day to be an org.... (Score:1)
what ever that is...
Re: (Score:2)
A little curious, are you able to tell me what spoofing is? If you have enough access to routers to spoof then there is further trail of evidence linking an attack to a source. The Internet is not nearly as anonymous as you think.
Re: (Score:1)
People with even limited resources can spoof an address. What do you think all those infected windows machines all around the world are doing?
It is just as plausible to believe it's coming from Romania, France, or Naperville as it is from China. They just happen to be the flavor of the week
Re: (Score:2)
That is not how spoofing works. Spoofing only works for one way traffic which makes it a tool for DDoS. All the spam coming from bots are either sending mail directly (Not spoofing as source ip is not obscured) or relaying their mail through another provider (Again, not spoofing). We have tools like SPF and DKIM that allow us to authenticate source traffic. Spoofing this traffic is not easy and requires a compromised CA in the case of DKIM and compromised DNS in the case of SPF. You never know who your targ
Re: (Score:1)
When your own "intelligence" agencies are engaging in these tactics, not too many people are going look into it. Hell, the damn CIA could be hacking itself and not even know it.
2-factor auth (Score:3)
Well yeah, no shit, stop using 2-factor auth as a crutch for fundamentally broken systems. It's a dumb panacea for dumb people. At best the whole shitty house of cards always inevitably falls down when the first factor falls. At worst the second factor is an attack vector for the other factor (e.g. 1-factor based password resets). We've seen both repeatedly.
If it's important enough that a foreign nation-state wants in, then it's important enough to have your own PKI infrastructure with actual cryptographic certs distributed to users on secure compute elements (e.g. smartcards, TPM's whatevs).
You see the part in the linked diagram where there's an ldap password comparison during login? stop... that... bullshit!
Re: (Score:2)
We live in a world where many startup websites allow you to log in to any account with a blank password.
People test their code in the happy path, but don't look far beyond that.
Is that why ? (Score:2)