The alarming report highlights how hackers repeatedly took advantage of several known flaws and one newly discovered vulnerability in Pulse Secure VPN, a widely used remote connectivity tool, to gain access to dozens of organizations in the defense industrial sector.
DHS’ Cybersecurity and Infrastructure Security Agency ordered federal civilian agencies on Tuesday to take several steps to reduce risk from the suspected hack.
The attackers who exploited Pulse Secure are extremely sophisticated and used their access to steal account credentials and other sensitive data belonging to victim organizations, said Charles Carmakal, FireEye’s senior vice president.
“These actors are highly skilled and have deep technical knowledge of the Pulse Secure product,” Carmakal said.
Other actors have exploited the vulnerabilities as well, though FireEye said it’s unclear whether they may be linked to a particular government.
“The Pulse Connect Secure (PCS) team is in contact with a limited number of customers who have experienced evidence of exploit behavior on their PCS appliances,” Pulse Secure said. “The PCS team has provided remediation guidance to these customers directly.”
It added: “Customers are also encouraged to apply and leverage the efficient and easy-to-use Pulse Secure Integrity Checker Tool to identify any unusual activity on their system.”
CISA said that since March 31, it has assisted “multiple entities” whose vulnerable products have been exploited by a cyber threat actor.
“CISA has been working closely with Ivanti, Inc. to better understand the vulnerability in Pulse Secure VPN devices and mitigate potential risks to federal civilian and private sector networks,” Nicky Vogt, an agency spokesperson, said Tuesday. “We will continue to provide guidance and recommendations to support potentially impacted organizations.”