We’re only learning about the attack now but American and European government agencies, defense companies and financial institutions have been compromised for months. It looks like those sneaky Chinese hackers are at it again. On Tuesday, the world learned that Pulse Secure isn’t so secure after all.
Chinese attack alert
On Tuesday, the Department of Homeland Security issued an emergency alert bulletin telling all users of a popular tool used to access equipment remotely to stop everything they’re doing and run the security patches, now.
The compromised company at the heart of the attack controversy is cooperating and cybersecurity experts at FireEye issued a report also, to provide background information.
Ivanti, the owner of Pulse Secure, confirmed the intrusions in a public advisory bulletin of it’s own on Tuesday, urging “network administrators to run a special tool designed to scan for signs of compromise” and also to “install an emergency workaround.”
The attack affects the software they provide used for virtual private networks. FireEye confirms that for months, “hackers with suspected ties to China” have taken advantage of “several known flaws” and “one newly discovered vulnerability” to “break into government agencies, defense companies and financial institutions.”
Dozens of “organizations in the defense industrial sector” are known to have been hacked and as far as the experts can tell, this is a totally isolated attack, separate from the recent SolarWinds hack.
That one is blamed on Russia’s foreign intelligence service, their version of the CIA is called the GRU.
An emergency directive
This attack looks more like the software “server software exploits that Microsoft has attributed to Chinese state-sponsored hackers.” That’s why DHS told everyone using Pulse Secure to “determine how many instances of the product they have, run an ‘integrity tool’ to check for issues, install updates and submit a report to CISA by Friday.”
Kind of like that “malicious software removal tool” Microsoft users are familiar with from their monthly patches.
The severity of the attack prompted the alert. Experts say that “emergency directives are rare and are used for incidents that have a high potential for compromise of agency systems.”
As noted by FireEye senior vice president Charles Carmakal, the pirates who hijacked Pulse Secure “are extremely sophisticated and used their access to steal account credentials and other sensitive data belonging to victim organizations.”
He says that the hackers who carried out the attack seem to know almost as much about his product as he does. “These actors are highly skilled and have deep technical knowledge of the Pulse Secure product,” he admits. FireEye found out that the first breach happened as early as last August. Meanwhile, the Imperial Palace is doing their best to assure everyone that everything is just fine.
Spokesunit Nicky Vogt proclaimed “CISA has been working closely with Ivanti, Inc. to better understand the vulnerability in Pulse Secure VPN devices and mitigate potential risks to federal civilian and private sector networks. We will continue to provide guidance and recommendations to support potentially impacted organizations.”