Federal officials engaged private sector researchers Mandiant/FireEye to secure the U.S. defense base and other industries against a campaign to exploit long-standing vulnerabilities in VPN appliances by targeting them with malware.
The Cybersecurity & Infrastructure Security Agency has been working with multiple organizations since the end of March after its Pulse Secure products were exploited, sources familiar with the situation told Cybersecurity Dive. CISA issued the directive after it determined that the Pulse Secure exploit posed an unacceptable risk to civilian agencies.
"CISA is aware of at least five federal civilian agencies who have run the Pulse Secure Integrity Tool and have identified indications of potential unauthorized access," Matt Hartman, deputy executive assistant director at CISA, said in an emailed statement. The agencies are cooperating with CISA to confirm whether an intrusion took place and CISA will offer incident response support based on the findings, he said.
Federal officials and researchers at Mandiant/FireEye last month warned that advanced persistent threat actors were actively targeting zero-day vulnerabilities in Pulse Secure devices as part of a campaign against the U.S. defense and other industries. Earlier reports link the attack to a nation state, but federal officials have yet to release an official attribution.
Pentagon officials are working with other federal agencies to understand the impact of the attacks against Pulse Secure.
"We continue to assess the potential impact of the vulnerability in Pulse Secure VPN devices to the Defense Information Network and are taking the appropriate steps to protect our data, network and systems," a Pentagon spokesman said in an emailed statement.
The Pentagon, alongside CISA and the National Security Agency, recognizes the serious nature of this and other cyberthreats, the statement said. The Pentagon declined to offer specific details on the impacts or mitigation efforts, citing operational security.
The NSA is working to analyze the threat and provide tailored mitigation guidance and is sharing cybersecurity threat information to the Defense Industrial Base, according to officials.
Pulse Secure has been working with officials from CISA as well as investigators and others from Mandiant/FireEye and Stroz Friedberg to address the malicious activity related to its VPN products. Phil Richards, chief security officer at Pulse Secure's parent firm Ivanti, said the company will continue to work with customers, law enforcement and other government agencies to mitigate the threats. The company is also working internally to improve its capabilities.
"Companywide we are making significant investments to enhance our overall cybersecurity posture, including a more broad implementation of secure application development standards," he said in a May 3 blogpost.
The Pulse Secure vulnerabilities were found with a small number of customers, in connection with three vulnerabilities previously identified in 2019 and 2020, including CVE-2019-11510, CVE-2020-8243 and CVE-2020-8260. The software patch released earlier last week related to CVE-2021-22893, which allows an unauthenticated user to execute arbitrary code.
Researchers have traced some of the activity to threat actors linked to China. Some of the activity has similarities to prior campaigns dating back to 2014, which involved espionage-linked threat actor APT5, according to the Mandiant/FireEye blog.
The warnings on Pulse Secure follow earlier warnings from CISA and the FBI about advanced persistent threat actors targeting Fortinet FortiOS devices.
VPNs are considered by some researchers to provide an outdated technology that allows overly broad access and provides a wide attack surface for threat actors to engage in malicious activity. Patches, according to some researchers, cannot fully address these issues.
"Most VPNs still follow the on-premise 'Band-Aid box' model that traditional network security vendors have been selling for 20+ years," Tarun Desikan, co-founder and chief operating officer at Banyan Security said via email. "This model involves buying expensive network appliances and stringing together multiple Band-Aid box solutions, such as VPN, firewall, routing, traffic optimization, load balancing, etc."
These solutions have had similar issues for years, they were hard to manage, difficult to scale and tricky to update, Desikan said. Most organizations have left them to ossify over the years, treating them as legacy technology,
"VPNs are particularly vulnerable because they are, by definition, exposed to the internet and serve as the entry point into an organization's protected corporate network," Desikan said. "They are often left unpatched so are particularly juicy targets for threat actors."