Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Government Network The Internet

US Government Probes VPN Hack Within Federal Agencies, Races To Find Clues (reuters.com) 12

For at least the third time since the beginning of this year, the U.S. government is investigating a hack against federal agencies that began during the Trump administration but was only recently discovered, according to senior U.S. officials and private sector cyber defenders. Reuters reports: The new government breaches involve a popular virtual private network (VPN) known as Pulse Connect Secure, which hackers were able to break into as customers used it. More than a dozen federal agencies run Pulse Secure on their networks, according to public contract records. An emergency cybersecurity directive last week demanded that agencies scan their systems for related compromises and report back.

The results, collected on Friday and analyzed this week, show evidence of potential breaches in at least five federal civilian agencies, said Matt Hartman, a senior official with the U.S. Cybersecurity Infrastructure Security Agency. "This is a combination of traditional espionage with some element of economic theft," said one cybersecurity consultant familiar with the matter. "We've already confirmed data exfiltration across numerous environments." The maker of Pulse Secure, Utah-based software company Ivanti, said it expected to provide a patch to fix the problem by this Monday, two weeks after it was first publicized. Only a "very limited number of customer systems" had been penetrated, it added.

Over the last two months, CISA and the FBI have been working with Pulse Secure and victims of the hack to kick out the intruders and uncover other evidence, said another senior U.S. official who declined to be named but is responding to the hacks. The FBI, Justice Department and National Security Agency declined to comment. The U.S. government's investigation into the Pulse Secure activity is still in its early stages, said the senior U.S. official, who added the scope, impact and attribution remain unclear. Security researchers at U.S. cybersecurity firm FireEye and another firm, which declined to be named, say they've watched multiple hacking groups, including an elite team they associate with China, exploiting the new flaw and several others like it since 2019.

This discussion has been archived. No new comments can be posted.

US Government Probes VPN Hack Within Federal Agencies, Races To Find Clues

Comments Filter:
  • by Anonymous Coward on Thursday April 29, 2021 @06:59PM (#61329902)
  • by Anonymous Coward

    I'm surprised that OpenVPN authentication bypass vulnerability CVE-2020-15078 [openvpn.net], patched in April 2021 [openvpn.net], hasn't gotten more attention.

    The problem allows unauthorized logins to servers using deferred authentication (like with user auth tokens). It is fixed in OpenVPN 2.4.11 and 2.5.2.

    Pulse Secure uses OpenVPN in some of its software so I wonder if this is related.

    OpenVPN characterizes the vulnerability as high to critical [openvpn.net] but does not publish a CVSS score [nist.gov] and underplays the bug with the title "partial informati [openvpn.net]

  • Funny name. Especially now. Yes, I know you probably thought about that too, but I'm the one who wrote it.
  • The currency that is best at privacy. If you are hiding money from the IRS you would be a fool to be using Bitcoin. Also because Monero is also actually used in transactions it is also significantly more stable than other currencies. (It's not that stable but compared to Bitcoin it is). So read up on which hardware wallets support Monero and do it properly and use that. Otherwise you are just asking to get caught by someone.

    For the record - I sold all my crypto holdings in January. I just think the
  • by rtb61 ( 674572 ) on Friday April 30, 2021 @12:09AM (#61330806) Homepage

    Yet another security firm, selling security at a profit and that profit is based on not providing security and charging like you do, PROFIT. This is yet another corruptly presented story. Pulse Secure failed in security and well, looking to blame Russia and China as an excuse for lax security, it is all the rage. Charge for security, get caught not providing security, as in get hacked, blame Russia and China and continue to pretend to sell security, charge for it without providing it.

    • by gtall ( 79522 ) on Friday April 30, 2021 @04:08AM (#61331230)

      No one is blaming Russia or China for the Pulse Security screw up, that they are actively taking advantage of security screwups is widely recognized, at least by people not trying to deflect blame from them. Yours is the usual brain dead post-modern argument: don't blame X for being dicks, blame the dicked. That argument is akin to blaming women's attire for rape.

  • Had this begun during the Obama administration, they would have listed the year, not that it happened under his watch. Maybe that's because the overwhelming majority of reporters and editors are staunchly partisan Democrats, maybe it's because Obama embedded censors in newsrooms, I don't know. What I do know is that the only reason to call out Trump for this is to express a partisan bias. Which Reuters definitely has and does not even pretend to conceal anymore.

"Gotcha, you snot-necked weenies!" -- Post Bros. Comics

Working...