Suspected Chinese state-sponsored hackers exploited vulnerabilities in Pulse Secure LLC virtual private network appliances, breaching multiple U.S. government agencies.

The attacks were confirmed by FireEye, Pulse Secure itself and the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure agency. It is believed that the attacks started around June last year. Three of the vulnerabilities exploited in the attacks had been previously detected and patched in 2019 and 2020. The fourth vulnerability was found this month and affected only a small number of customers. The fourth hasn’t been patched, but Ivanti, Pulse Secure’s parent company, has a plan.

The patch is coming soon

Ivanti is working with customers to mitigate any risks until a patch is made available early next month. The attackers exploited the vulnerabilities to place web shells on the Pulse Connect Secure appliance for even more access and persistence.

The web shells provide access for functions like bypassing authentication and multifactor authentication, password logging and patching for persistence. 

A list of victims was not disclosed. FireEye only identifies them as ‘defense, government and financial organizations around the world’ with a focus on the US defense industry.

China says it didn’t do it

China denies being behind the attacks. Chinese Embassy spokesperson Liu Pengyu spoke to Reuters and said that China firmly opposes and cracks down on all forms of cyberattacks.

Experts agree that the best way to stay safe, is to have good cyber hygiene and intense blue teaming.  Vishal Jain, the co-founder and CTO at Valtix (a security service provider) says that defense in depth is the way to go, if these issues are to be addressed properly.

In the meantime, customers await the patch and hope this doesn’t happen again.