More Government Hackery / Hacked

More US agencies potentially hacked, this time with Pulse Secure exploits
Zero-day vulnerability under attack has a severity rating of 10 out of 10.

DAN GOODIN – 4/30/2021, 10:00 PM

Yeah. Zero Day. 10 out of 10 severity. I.e. they are screwed.

At least five US federal agencies may have experienced cyberattacks that targeted recently discovered security flaws that give hackers free rein over vulnerable networks, the US Cybersecurity and Infrastructure Security Agency said on Friday.

The vulnerabilities in Pulse Connect Secure, a VPN that employees use to remotely connect to large networks, include one that hackers had been actively exploiting before it was known to Ivanti, the maker of the product. The flaw, which Ivanti disclosed last week, carries a severity rating of 10 out of a possible 10. The authentication bypass vulnerability allows untrusted users to remotely execute malicious code on Pulse Secure hardware, and from there, to gain control of other parts of the network where it’s installed.

Federal agencies, critical infrastructure, and more
Security firm FireEye said in a report published on the same day as the Ivanti disclosure that hackers linked to China spent months exploiting the critical vulnerability to spy on US defense contractors and financial institutions around the world. Ivanti confirmed in a separate post that the zero-day vulnerability, tracked as CVE-2021-22893, was under active exploit.

In March, following the disclosure of several other vulnerabilities that have now been patched, Ivanti released the Pulse Secure Connect Integrity Tool, which streamlines the process of checking whether vulnerable Pulse Secure devices have been compromised. Following last week’s disclosure that CVE-2021-2021-22893 was under active exploit, CISA mandated that all federal agencies run the tool.

So how about we just, you know, stop routing packets to China? Just cut them off.

Why are agencies so lax about keeping the door closed?

They just keep coming

The targeting of the five agencies is the latest in a string of large-scale cyberattacks to hit sensitive government and business organizations in recent months. In December, researchers uncovered an operation that infected the software build and distribution system of network management tool-maker SolarWinds. The hackers used their control to push backdoored updates to about 18,000 customers. Nine government agencies and fewer than 100 private organizations—including Microsoft, antivirus maker Malwarebytes, and Mimecast—received follow-on attacks.

In March, hackers exploiting a newly discovered vulnerability in Microsoft Exchange compromised an estimated 30,000 Exchange servers in the US and as many as 100,000 worldwide.

And folks wonder why I don’t run Microsoft products…

Microsoft said that Hafnium, its name for a group operating in China, was behind the attacks. In the days that followed, hackers not affiliated with Hafnium began infecting the already-compromised servers to install a new strain of ransomware.

So if you know the product is compromised, why are you still running it? Shut it down, scrub it. Do not start it back up again until you know it is safe. Yes. A PITA if you have allowed yourself to be dependent on it. But the alternative is worse.

FIRST PULL THE PLUG. Then figure out what to do next.

Two other serious breaches have also occurred, one against the maker of the Codecov software developer tool and the other against the seller of Passwordstate, a password manager used by large organizations to store credentials for firewalls, VPNs, and other network-connected devices. Both breaches are serious, because the hackers can use them to compromise the large number of customers of the companies’ products.

Another leveraged attack on a “security” product company.

IF something is really really important to you, do NOT connect it to the internet. Have an isolated internal network that does not connect out. You do not need ALL your stuff on-line all the time available to the whole internet.

But Bidé{n} (The N is silent…) and Co. are busy looking for anyone who stood on steps at the capitol or may have voted for Trump… Sigh.

Hey, F.B.I., feel like idiot chumps yet? No? Give it time…

Subscribe to feed

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Emergency Preparation and Risks, News Related, Tech Bits. Bookmark the permalink.

6 Responses to More Government Hackery / Hacked

  1. philjourdan says:

    Pulse Secure – a misnomer. An offshoot of Juniper. I have to laugh as I almost got a job with a major Uni that adored Juniper! I never did (I think their commit feature is good, but their admin sucks).

    We dumped that in 2018. And well we did. But we are a for profit business. Not government.

  2. Ossqss says:

    A very important note. These were servers compromised, not laptops.

    “an estimated 30,000 Exchange servers in the US and as many as 100,000 worldwide.”

  3. jim2 says:

    This article is BS. It says China. We all know it has to be RUSSIA!

  4. Ossqss says:

    Upon looking in the dark, this to has been happening since June? Something don’t smell right.

  5. tom0mason says:

    Not to worry Pulse Connect Secure to be part of the ‘Build Back Better’ that (p)resident Bidet spoke about.

  6. philjourdan says:

    Yea, the Pulse secure that is sunsetting. That is Biden all over

Comments are closed.