CISA Orders Agencies to Mitigate Pulse Secure VPN RisksAgency Says Exploits Pose 'Unacceptable Risk'
The U.S. Cybersecurity and Infrastructure Security Agency has issued an emergency directive requiring executive branch agencies to mitigate by Friday the risks posed by a zero-day vulnerability and three other recently patched flaws in Pulse Connect Secure VPN products.
On Tuesday, Ivanti, the parent company of Pulse Secure, and the security firm FireEye warned that at least two nation-state attack groups, including one with links to China, were exploiting the vulnerability to target a range of victims, including U.S. government agencies, critical infrastructure providers and other private sector organizations.
CISA is ordering agencies to use the Pulse Connect Secure Integrity Tool to check the integrity of file systems and take further action as necessary. Ivanti developed the tool, which helps organizations determine if malicious activity is taking place.
Federal civilian agencies running Pulse Connect Secure products are required to take immediate action. We encourage all organizations to follow similar steps. Read Emergency Directive 21-03: https://t.co/8TlOwi3zHn pic.twitter.com/nZOJF9bswi— Cybersecurity and Infrastructure Security Agency (@CISAgov) April 21, 2021
"CISA has determined that this exploitation of Pulse Connect Secure products poses an unacceptable risk to federal civilian executive branch agencies and requires emergency action," according to the emergency directive. "This determination is based on the current exploitation of these vulnerabilities by threat actors in external network environments, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise."
The Biden administration has been responding to a series of security incidents, including the SolarWinds supply chain attack, which led to follow-on attacks on nine government agencies and 100 companies and exploits of flaws in on-premises Microsoft Exchange email servers.
On Monday, the White House announced that it would start to wind down two groups created to respond to the SolarWinds and Exchange attacks (see: White House 'Stands Down' SolarWinds, Exchange Response Groups).
The White House issued sanctions against Russia on April 15 as a response to the SolarWinds attack and interference in the 2020 U.S. elections (see: US Sanctions Russia Over SolarWinds Attack, Election Meddling).
Lawmakers Raise Questions
Lawmakers have raised concerns about the federal government's response to security incidents.
Earlier this month, the U.S. Senate Select Committee on Intelligence held a hearing that included testimony from leaders within the FBI, the CIA, the National Security Agency and the Office of the Director of National Intelligence. Much of the discussion focused on responses to these types of cyberthreats and addressing the issue of "blind spots" where attackers might hide their activities from law enforcement and intelligence agencies.
Gen. Paul Nakasone, the director of the NSA, noted that while his agency can't investigate intrusions within the U.S., the government and companies need to do a better job of sharing intelligence. Some senators are also pushing for a federal law requiring data breach notification (see: Senators Push for Changes in Wake of SolarWinds Attack).
Frank Downs, a former NSA offensive threat analyst, says it's encouraging that CISA is ordering federal agencies to take security action.
"In many instances, attacks go unnoticed, without any remediation," says Downs, who is now a director at the security firm BlueVoyant. "The fact there have been increased warnings and recognition of attacks indicates that the strengthening posture of U.S. cybersecurity is working."
But Joseph Neumann, cyber executive adviser at consulting firm Coalfire, says the federal government should replace its current ad hoc approach to risk mitigation with a more holistic approach.
"At the current time, every federal entity runs as an island, making decisions from procurement to risk acceptance independently," Neumann says. "This disparate approach is both a strength and a weakness. Its strength is that there are varying systems all over the place, so one vulnerability doesn’t affect every organization. But on the flip side, it makes it nearly impossible for one organization to defend against all of the unknown threats."
The attacks uncovered by FireEye are exploiting four Pulse Connect Secure vulnerabilities, including a zero-day flaw discovered in April and tracked as CVE-2021-22893.
The zero-day flaw, which has a CVSS ranking of 10, making it "critical," could allow an unauthenticated, remote attacker to execute arbitrary code through unspecified vectors, Ivanti says. CISA recommends all organizations using Pulse Connect Secure immediately update to software version 9.1R.11.4.
Attackers may have used the older vulnerabilities to gain an initial foothold within their targets, according to FireEye.
FireEye's Mandiant team identified two threat groups, which it labeled as UNC2630 and UNC2717, and said it believes they are behind the attacks exploiting the Pulse Connect Secure flaws. UNC2630 is suspected to have ties to another threat group that works on behalf of the Chinese government, although a definitive connection could not be made, according to the report.
Warnings About VPN Vulnerabilities
Since 2019, security researchers have been warning about unpatched vulnerabilities in VPNs from Pulse Secure and other companies, which have been exploited by cybercriminal gangs looking to spread ransomware and other attacks. The vulnerability known as CVE-2019-11510 has been an ongoing concern (see: Ransomware: Beware of 13 Tactics, Tools and Procedures).
Also, the CVE-2019-11510 vulnerability in Pulse Secure Connect VPNs was found to be a favorite target of the Russian Foreign Intelligence Service, aka SVR, over the last several years, according to a joint alert from the FBI, CISA and the NSA following the announcement of sanctions last week. All three agencies urged private firms and government agencies to patch against this bug. When the sanctions against Russia were announced, the White House formally accused SVR of conducting the SolarWinds attack (see: US Pulls Back Curtain on Russian Cyber Operations).
"Taking advantage of a VPN product can be one of the most undermining attacks an organization or company experiences," Downs says. "These capabilities are developed with the sole purpose of keeping entire communications streams, networks and mechanisms private through strong encryption … As such, when a company or agency's VPN service is exploited, it can cause serious foundational ripple effects which impact the entirety of the organizational security stance."