Chinese hackers exploited the Pulse Secure VPN to compromise government agencies and companies in the United States and Europe.

That’s according to new research by FireEye. For months, hackers with suspected ties to China have exploited a popular workplace tool to break into government agencies, defense companies and financial institutions, it said.

Mandiant, which was acquired by FireEye, is tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices. These families are related to the circumvention of authentication and backdoor access to these devices. But they are not necessarily related to one another and have been observed in separate investigations. It’s likely multiple actors are responsible for the creation and deployment of these various code families.

Pulse Secure determined a combination of prior vulnerabilities and a previously unknown vulnerability discovered in April are responsible for the initial infection vector.

On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive for the Pulse Secure hack. It requires federal civilian agencies to mitigate Pulse Connect Secure product vulnerabilities.

Unacceptable Risk

“CISA has determined that these vulnerabilities pose an unacceptable risk that warrants emergency action to protect the federal networks,” the agency said. “CISA is aware of compromises of U.S. government agencies, critical infrastructure entities, and private-sector organizations by a cyber threat actor – or actors – beginning in June 2020 or earlier. Since March 31, 2021, CISA has been assisting multiple entities whose vulnerable Pulse Connect Secure products have been exploited by a cyber threat actor.”

Pulse Secure’s parent company, Ivanti, released mitigations for a vulnerability exploited in relation to these malware families and the Pulse Connect Secure Integrity Tool for their customers to determine if their systems are impacted. A final patch to address the vulnerability will be available in early May.

Pulse Secure sent us the following statement:

“The Pulse Connect Secure (PCS) team is in contact with a limited number of customers who have experienced evidence of exploit behavior on their PCS appliances,” it said. “The PCS team has provided remediation guidance to these customers directly.”

Ensuring Online Privacy and Security Is Paramount

Untangle’s Heather Paunet

Heather Paunet is senior vice president at Untangle.

“Security incidents, such as the attack on Pulse Secure VPN appliances, point out the need for ensuring you are using the latest technologies with state-of-the-art cryptography,” she said. “With more people working from home and using VPN technology than ever, ensuring online privacy and security is paramount. Yet, many businesses continue to use older technologies, despite the increase in not only the number of threats, but the sophistication of threats. Other considerations for VPN use include keeping up to date with patches and latest configuration, and ensuring employees use VPN according to protocol.”

Vishal Jain is co-founder and CTO of Valtix.

“The old adage of defense in depth is still pertinent,” he said. “Network security, tied to automatic rule updates for the latest vulnerabilities to guard against ingress infiltration by the way of virtual patching, prevention of lateral movement with east-west controls and data exfiltration with egress controls, will certainly help.”