A number of U.S. government agencies have been compromised by hackers exploiting both known and newly found software flaws, the Cybersecurity and Infrastructure Security Agency warned Tuesday.
CISA, a component of the U.S. Department of Homeland Security, has accordingly issued an emergency directive requiring all federal civilian agencies to scan their systems for signs of abnormalities.
The vulnerabilities, including three previously disclosed bugs and one new one, affect versions of Pulse Connect Secure, a widely used tool designed to let customers remotely access computer networks.
CISA said it was issuing the directive amid evidence of “ongoing exploitation” of the vulnerabilities occurring, adding the activity started as far back as June 2020 and has claimed numerous victims.
Specifically, CISA said the vulnerabilities have so far been exploited to result in compromises of U.S. government agencies, critical infrastructure entities and private sector organizations alike.
CISA explained that successful exploitation of the Pulse Connect Secure vulnerabilities could enable a hacker to gain persistent access into a system where the software has been installed.
“CISA has determined that this exploitation of Pulse Connect Secure products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,” the agency stated.
Mandiant, a Virginia-based security firm, said it has responded to multiple intrusions at defense, government and financial organizations around the world that were hacked by exploiting the bugs.
Several different hackers are believed to have exploited the flaws, Mandiant explained in a blog post, including a group, called UNC2630, that it suspects of operating on behalf of the Chinese government.
Mandiant said it found “strong similarities’ between UNC2630 and APT5, a suspected Chinese government espionage group that primarily targets aerospace and defense companies in the U.S. and elsewhere.
After gaining access to a system running the vulnerable software, UNC2630 hackers then harvested legitimate account credentials that enabled them to move laterally across networks, Mandiant said.
Phil Richards, the chief information security officer for Ivanti, Pulse Secure Connect’s parent company, said it recently discovered “a limited number of customers” experiencing related problems.
Ivanti has released a tool designed to let customers see if they are similarly impacted, and CISA has ordered all federal civilian agencies to use it by Friday and take remedial action if necessary.
Security patches for three of the vulnerabilities being exploited by the Pulse Secure Connect hackers were released in 2019 and 2020. Mr. Richards said a patch for the fourth will be available in May.
“As an entire company, we are dedicated to working with our customers and the broader security industry to mitigate the threat from these issues as quickly as possible,” he said.
Russell Goemaere, a spokesperson for the U.S. Department of Defense, told The Washington Times that the military is aware of the newly disclosed vulnerability and taking appropriate steps in response.
“We are assessing potential impact to the Defense Information Network and taking the appropriate steps to protect our data, networks and systems,” he said, adding the Pentagon is in close communication with both CISA and the U.S. National Security Agency, or NSA, “and recognize the serious nature of this and other cyber threats to the Department and to the country.”
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.