According to FireEye, alleged hackers with nation-state China ties have been exploiting vulnerabilities in Pulse Secure VPN to force their way into defense companies, financial institutions, government agencies across the United States and Europe. The scope is believed to be contained to a "very limited number of customers", according to Pulse Secure. Unfortunately, a patch for one of the newly discovered flaws, which is being exploited in the wild, won't be released until early May. There are patches available for the other vulnerabilities that are being exploited.
The US Department of Homeland Security released a public advisory earlier this week, while CISA issued an emergency directive -- calling for federal civilian agencies to:
Determine how many instances of the product they are running
Install updates and submit a report to CISA by 4/23
The attackers reportedly have similar characteristics of Chinese actor APT5, according to FireEye.
Pulse Secure has been a target for of other APTs in the past, including AP29 (a.k.a Cozy Bear), which the FBI warned users about just the other week. And in August of 2020, a hacker published a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers, according to ZDNet.
This story is continuing to develop, but one thing is clear -- VPNs aren't to be trusted. In fact, some security pros believe this is just the beginning of the end for VPNs.
Gary Kinghorn of Tempered Networks says, "The VPN is dead, or should be. It's a gateway to a network that when breached provides extensive access to the rest of the organization. There are better approaches that can eliminate these vulnerabilities that include end-to-end encryption, cryptographically-verified identities of remote users and accessible devices, and shutting down the spread of threats that do penetrate the network perimeter with microsegmentation. It's taking a long time for mainframes to die, so we’ll probably see the same with VPN's."
###