CISA: 5 Agencies Using Pulse Secure VPNs Possibly BreachedSuspicious Activity Detected; Investigation Continues
The Cybersecurity and Infrastructure Security Agency is investigating whether five government agencies may have been breached when attackers exploited vulnerabilities in Pulse Connect Secure VPN products, according to a senior agency official.
Earlier this month, researchers at the security firm FireEye published a report about attack groups attempting to exploit four Pulse Connect Secure vulnerabilities, including a zero-day flaw discovered in April that's now tracked as CVE-2021-22893.
Ivanti, the parent company of Pulse Secure, has issued a mitigation fix for the zero-day vulnerability and has urged customers to apply it.
Following the disclosure by FireEye and Ivanti, CISA issued an emergency directive requiring executive branch agencies to run tests using the Pulse Connect Secure Integrity Tool to check the integrity of file systems within their networks and report back the results to the agency on April 23.
Over the last week, CISA examined the results and found that at least five executive branch agencies had evidence of suspicious or malicious activity within their networks, says Matt Hartman, deputy executive assistant director at CISA. According to Hartman, 26 federal agencies use Pulse Connect Secure VPNs.
"CISA is aware of at least five federal civilian agencies who have run the Pulse Connect Secure Integrity Tool and identified indications of potential unauthorized access. We are working with each agency to validate whether an intrusion has occurred and will offer incident response support accordingly," Hartman says.
Hartman did not say which agencies found suspicious activities within their networks and did not offer a time frame for when CISA investigators will determine whether there were actual breaches of the infrastructure.
FireEye researchers believe that at least two nation-state attack groups have attempted to exploit the four Pulse Secure vulnerabilities, and one of these groups has ties to China. Besides U.S. government agencies, potential victims also include critical infrastructure providers and others, according to the report.
As of now, CISA has not attributed the attack to a particular group or nation-state.
Ongoing Cyber Concerns
CISA's investigation of potential breaches tied to unpatched Pulse Secure VPN products is the latest in a series of security probes by the agency.
Starting in December 2020, CISA, along with other agencies, began investigating the SolarWinds supply chain attack, which led to follow-on attacks on nine government departments and 100 private companies. Earlier this month, the Biden administration formally accused Russia's Foreign Intelligence Service, or SVR, of conducting the attack.
The White House issued sanctions against the Russian government, along with several companies and individuals, in connection with the SolarWinds attack as well as interfering in the November 2020 election (see: US Sanctions Russia Over SolarWinds Attack, Election Meddling).
And after yet another investigation, CISA began issuing warnings to federal agencies in March to check for compromises related to four vulnerabilities in on-premises versions of Microsoft's Exchange email server (see: CISA Orders Agencies to Recheck for Exchange Compromises).
CISA worked with Microsoft to develop a scanning tool that could check networks for Exchange vulnerabilities in the same way the Pulse Secure tool works to uncover possible malicious activity.
Supply Chain Attacks
Drew Schmitt, senior threat intelligence analyst at GuidePoint Security, says the SolarWinds, Exchange and Pulse Secure attacks illustrate how attackers are using vulnerabilities in the software supply chain to target victims as well as gain long-term access to sensitive networks.
"Threat actors are exploiting these vulnerabilities that result in prolonged access to environments and the ability to conduct post-exploitation operations with a focus on stealing information and gaining insight into the organizations' operations," Schmitt says. "The level of risk associated with these high-profile attacks is critical, particularly for public sector organizations. It is imperative that organizations continue to evaluate their infrastructure for vulnerabilities and reduce their exploitable attack surface to prevent infiltration into their organizations."
Frank Downs, a former U.S. National Security Agency offensive threat analyst, says it's "discouraging" that the Pulse Secure attacks may have affected five agencies. "The damage can be mitigated if an appropriate defense-in-depth approach was taken by those agencies to ensure that the VPN was not the only tool for bolstering their cybersecurity," says Downs, who is now a director at the security firm BlueVoyant. "As CISA investigates and mitigates the attack, it will be important for them to also identify the extent of the exploitation at each agency."
The U.S. Senate Select Committee on Intelligence held a hearing earlier this month that featured testimony from leaders within the FBI, the CIA, the National Security Agency and the Office of the Director of National Intelligence. Among the topics discussed was the need to address "blind spots" where attackers might hide their activities from law enforcement and intelligence agencies. Some lawmakers are pushing for a national breach notification law (see: Senators Push for Changes in Wake of SolarWinds Attack).
The zero-day flaw in the Pulse Secure VPN products uncovered by FireEye - CVE-2021-22893 - if exploited, could allow an unauthenticated, remote attacker to execute arbitrary code through unspecified vectors, Ivanti says. CISA recommends all organizations using Pulse Connect Secure immediately update to software version 9.1R.11.4, which patches the flaw.
Attackers have also targeted a number of older flaws in Pulse Secure products, including CVE-2019-11510, CVE-2020-8260 and CVE-2020-8243. Patches for these bugs were issued in 2019 and 2020, Ivanti says.
FireEye's Mandiant team identified two threat groups, which it labeled UNC2630 and UNC2717, that it believes are behind the attacks exploiting the Pulse Connect Secure flaws. UNC2630 is suspected to have ties to another threat group that works on behalf of the Chinese government, although a definitive connection could not be made, according to the report.