Multiple agencies breached by hackers using Pulse Secure vulnerabilities

Federal authorities announced Tuesday that hackers breached multiple government agencies and other critical organizations by exploiting vulnerabilities in products from a Utah-based software company.

“CISA is aware of compromises affecting U.S. government agencies, critical infrastructure entities, and other private sector organizations by a cyber threat actor—or actors—beginning in June 2020 or earlier related vulnerabilities in certain Ivanti Pulse Connect Secure products,” the Cybersecurity and Infrastructure Security Agency (CISA) said in an alert.

The agency, the cybersecurity arm of the Department of Homeland Security, noted that it had been assisting compromised organizations since March 31 and that the hackers used vulnerabilities to place webshells in the Pulse Connect Secure products, which allowed them to bypass passwords, multifactor authentication and other security features.

The agency wrote that Ivanti was developing a patch for these vulnerabilities and that it “strongly encouraged” all organizations using these products to update to the newest version and investigate for signs of compromise.

In addition, CISA put out an emergency directive Tuesday night requiring all federal agencies to assess how many Pulse Connect Secure products they and third-party organizations used and to update these products by April 23.

“CISA has determined that this exploitation of Pulse Connect Secure products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,” the agency wrote in the directive. “This determination is based on the current exploitation of these vulnerabilities by threat actors in external network environments, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise.”

The alert was released after cybersecurity group FireEye’s Mandiant Solutions, which is working with Ivanti to respond to the hacking incident, published a blog post attributing some of the hacking activity to a Chinese state-sponsored hacking group and another Chinese advanced persistent threat group.

Mandiant found that the hacking group had targeted organizations in the U.S. Defense Industrial Base and European organizations and stressed that it was in the “early stages” of full attribution. 

A spokesperson for Ivanti told The Hill Tuesday that the patch for the vulnerabilities would be released in May and that only a “limited number” of customers had been compromised. 

“The Pulse Connect Secure (PCS) team is in contact with a limited number of customers who have experienced evidence of exploit behavior on their PCS appliances,” the spokesperson told The Hill in a statement. “The PCS team has provided remediation guidance to these customers directly.”

The company also published a blog post detailing more about the vulnerabilities, noting that it was working with CISA, FireEye and other leading industry experts to investigate the hacking incident. 

“A secure computing environment is more important each and every day to how we work and live, as threats evolve and emerge,” PCS Chief Security Officer Phil Richards wrote in the blog post. “We are making significant investments to enhance our overall cyber security infrastructure, including evolving standards of code development and conducting a full code integrity review.”

The new breach comes on the heels of two other major security incidents that CISA has helped respond to over the past four months. 

The SolarWinds hack, carried out by Russian hackers and first discovered in December, compromised nine federal agencies and 100 private sector groups. The response to this was compounded when Microsoft announced new vulnerabilities in its Exchange Server application that were used by at least one Chinese hacking group to compromise thousands of organizations.  

CISA issued alerts ordering all federal agencies to investigate for signs of compromise in both hacking incidents and patch their systems and was one of four federal agencies in a unified coordination group that was formed to investigate each incident.  

A senior Biden administration official announced earlier this week that the group would be “standing down” due to a reduction in victims. President Biden also plans to shortly sign an executive order aimed at shoring up federal cybersecurity. 

Updated at 7:32 p.m.