Ivanti Pulse Connect Secure data breach

Last updated

On April 20, 2021, it was reported that suspected Chinese-state backed hacker groups had breached multiple government agencies, defense companies and financial institutions in both the US and Europe after the hackers created and used a Zero-day exploit for Ivanti Pulse Connect Secure VPN devices. [1] [2] [3] A Cybersecurity and Infrastructure Security Agency alert reported that the attacks using the exploited started in June 2020 or earlier. [4] The attacks were believed to be the third major data breach against the U.S. in the previous year behind the 2020 United States federal government data breach and the 2021 Microsoft Exchange Server data breach. [5]

Contents

Impact

A Cybersecurity and Infrastructure Security Agency alert reported that the attacks affected "U.S. government agencies, critical infrastructure entities, and other private sector organizations." [6] A spokesperson for Ivanti said that only a "limited number" of customers had been compromised. [7] Mandiant's chief financial officer Charles Carmakal said that while the hack had only a small indication of having a large number of victims. He said the breach was significant because it had allowed unauthorized access to federal and corporate systems for months. [8]

Responses

A spokesperson for Ivanti said that while mitigations are in place a patch to fix the vulnerabilities was not expected until May. [9] With the patch finally being released on May 3, 2021. [10] The CISA issued an emergency directive requiring that federal agencies install product updates. [11] China has denied being behind the attack and accused the U.S. of being the "biggest empire of hacking and tapping." [12]

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Cybercrime</span> Type of crime based in computer networks

Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or networks. These crimes involve the use of technology to commit fraud, identity theft, data breaches, computer viruses, scams, and expanded upon in other malicious acts. Cybercriminals exploit vulnerabilities in computer systems and networks to gain unauthorized access, steal sensitive information, disrupt services, and cause financial or reputational harm to individuals, organizations, and governments.

<span class="mw-page-title-main">Ivanti</span> American IT software company

Ivanti is an IT software company headquartered in South Jordan, Utah, United States. It produces software for IT Security, IT Service Management, IT Asset Management, Unified Endpoint Management, Identity Management and supply chain management. It was formed in January 2017 with the merger of LANDESK and HEAT Software, and later acquired Cherwell Software. The company became more widely known after several major security incidents related to the VPN hardware it sells.

<span class="mw-page-title-main">Jeff Moss (hacker)</span> American computer security expert

Jeff Moss, also known as Dark Tangent, is an American hacker, computer and internet security expert who founded the Black Hat and DEF CON computer security conferences.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

Cyberwarfare by China is the aggregate of all combative activities in the cyberspace which are taken by organs of the People's Republic of China, including affiliated advanced persistent threat groups, against other countries.

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack (DDoS).

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR), a view shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

<span class="mw-page-title-main">Alex Stamos</span> Greek American computer scientist

Alex Stamos is an American computer scientist and adjunct professor at Stanford University's Center for International Security and Cooperation. He is the former chief security officer (CSO) at Facebook. His planned departure from the company, following disagreement with other executives about how to address the Russian government's use of its platform to spread disinformation during the 2016 U.S. presidential election, was reported in March 2018.

The Equifax data breach occurred between May and July 2017 at the American credit bureau Equifax. Private records of 147.9 million Americans along with 15.2 million British citizens and about 19,000 Canadian citizens were compromised in the breach, making it one of the largest cybercrimes related to identity theft. In a settlement with the United States Federal Trade Commission, Equifax offered affected users settlement funds and free credit monitoring.

<span class="mw-page-title-main">Cybersecurity and Infrastructure Security Agency</span> Agency of the United States Department of Homeland Security

The Cybersecurity and Infrastructure Security Agency (CISA) is a component of the United States Department of Homeland Security (DHS) responsible for cybersecurity and infrastructure protection across all levels of government, coordinating cybersecurity programs with U.S. states, and improving the government's cybersecurity protections against private and nation-state hackers.

<span class="mw-page-title-main">Chris Krebs</span> American cybersecurity and infrastructure security expert (born 1977)

Christopher Cox Krebs is an American attorney who served as Director of the Cybersecurity and Infrastructure Security Agency in the United States Department of Homeland Security from November 2018 until November 17, 2020, when President Donald Trump fired Krebs for contradicting Trump's claims of election fraud in the 2020 presidential election.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

Zerologon is a critical vulnerability in Microsoft's authentication protocol Netlogon, as implemented in some versions of Microsoft Windows and Samba.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

A wave of cyberattacks and data breaches began in June 2023 after a vulnerability was discovered in MOVEit, a managed file transfer software.

References

  1. Miller, Maggie (2021-04-20). "Multiple agencies breached by hackers using Pulse Secure vulnerabilities". The Hill . Retrieved 2021-04-21.
  2. "Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day". FireEye. Retrieved 2021-04-21.
  3. Brian Fung and Geneva Sands (20 April 2021). "Suspected Chinese hackers exploited Pulse Secure VPN to compromise 'dozens' of agencies and companies in US and Europe". CNN . Retrieved 2021-04-21.
  4. "Exploitation of Pulse Connect Secure Vulnerabilities | CISA". us-cert.cisa.gov. Retrieved 2021-04-21.
  5. Brian Fung and Geneva Sands (20 April 2021). "Suspected Chinese hackers exploited Pulse Secure VPN to compromise 'dozens' of agencies and companies in US and Europe". CNN . Retrieved 2021-04-21.
  6. "Exploitation of Pulse Connect Secure Vulnerabilities | CISA". us-cert.cisa.gov. Retrieved 2021-04-21.
  7. Miller, Maggie (2021-04-20). "Multiple agencies breached by hackers using Pulse Secure vulnerabilities". The Hill . Retrieved 2021-04-21.
  8. "China behind another hack as U.S. cybersecurity issues mount". NBC News . 22 April 2021. Retrieved 2021-04-22.
  9. Miller, Maggie (2021-04-20). "Multiple agencies breached by hackers using Pulse Secure vulnerabilities". The Hill . Retrieved 2021-04-21.
  10. Mackie, Kurt (2021-05-03). "Patch Issued for Critical Vulnerability in Pulse Connect Secure VPNs -- Redmondmag.com". Redmondmag. Retrieved 2021-05-10.
  11. Brian Fung and Geneva Sands (20 April 2021). "Suspected Chinese hackers exploited Pulse Secure VPN to compromise 'dozens' of agencies and companies in US and Europe". CNN . Retrieved 2021-04-21.
  12. "China calls U.S. "biggest empire of hacking" after being accused of cyber spying". Newsweek . 2021-04-21. Retrieved 2021-04-22.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.