The cybersecurity firm FireEye suspects at least one of the campaigns it reported on operates on behalf of the Chinese government.
The Cybersecurity and Infrastructure Security Agency on Tuesday confirmed that a number of federal agencies were compromised by a threat actor last year through vulnerabilities found in virtual private networking software made by Pulse Connect Secure.
CISA "is aware of compromises affecting U.S. government agencies, critical infrastructure entities, and other private sector organizations by a cyber threat actor—or actors—beginning in June 2020 or earlier related vulnerabilities in certain Ivanti Pulse Connect Secure products," according to an April 20 advisory.
"Since March 31, 2021, CISA assisted multiple entities whose vulnerable Pulse Connect Secure products have been exploited by a cyber threat actor," the advisory continues.
The advisory does not specify which agencies may have been affected, but Pulse Secure's parent company Ivanti holds contracts with several government departments and agencies including the Pentagon, the Coast Guard, Nuclear Regulatory Commission and Bureau of the Fiscal Service.
In a blog post on Tuesday, cybersecurity firm FireEye detailed its investigation into 12 malware families all associated with exploiting Pulse Secure VPN devices. The company labeled the hacking campaigns behind the attacks as UNC2630 and UNC2717. The former is suspected to be working on behalf of the Chinese government and targeting defense industrial base contractors, according to FireEye.
"We observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments," FireEye wrote.
The company observed UNC2717 using the vulnerabilities against an unspecified "European organization." FireEye added that it cannot attribute all the attacks described in its report to the two actors it labeled and that it is likely "additional groups beyond UNC2630 and UNC2717 have adopted one or more of these tools."
The company also wrote the campaigns used some known vulnerabilities as well as one previously unknown one discovered in April 2021, CVE-2021-22893.
CISA also wrote that Ivanti has developed a checker tool and is working on a patch. "CISA strongly encourages organizations using Ivanti Pulse Connect Secure appliances to immediately run the Ivanti Integrity Checker Tool, update to the latest software version, and investigate for malicious activity," according to the advisory.