UPDATED: Adds information about today’s update from CISA to the activity alert issued today, April 20th.
WASHINGTON: CISA today confirmed that at least five federal agencies are being investigated to see if they have been compromised by recently announced vulnerabilities in Pulse Connect Secure appliances.
Matt Hartman, vice executive director of CISA, said in a statement to Breaking Defense, “CISA is aware of at least five federal civil agencies that have run the Pulse Connect Secure Integrity Tool and identified indications of possible unauthorized access. We work with each agency to verify that an intervention has taken place and provide incident response support accordingly. “
Hartman did not say which agencies are the subject of the ongoing investigation.
As of March 31, CISA has been supporting “multiple companies” whose vulnerable Pulse Connect Secure products have been exploited. A source at CISA previously told Breaking Defense that the US government has not yet made a decision on the attribution.
On April 20, CISA released an emergency policy and an activity alert in Pulse Connect Secure for four vulnerabilities – three known since last year and one newly discovered this month. CISA today updated the Activity Alert, adding new information to the Transport Layer Security (TLS) fingerprint, a technique that can be used to identify malicious activity.
The Emergency Policy required all civil federal agencies to identify the Pulse Connect Secure devices in use and run a free online tool to assess whether the product was compromised. The results were due to CISA last Friday. Based on these findings, CISA discovered further indications of possible violations.
A CISA source previously told Breaking Defense that 24 federal agencies are using the popular product, which allows employees to remotely access federal networks over a virtual private network (VPN). VPNs encrypt data when it is transmitted over public networks.
Without knowing which agencies are affected, the attacker, or more details about the tactics, techniques, and procedures used in these potential hacks, it is difficult to assess their potential severity. What is clear is that federal agencies continue to be targets of sustainable cyber operations, often by foreign governments.
News of these recent potential violations follows the cyber espionage campaigns launched by SolarWinds and Microsoft Exchange. The U.S. government officially attributed the former – which affected at least nine federal agencies – to Russia on April 15, and the latter is widely viewed as the work of mainly Chinese threat actors, although the U.S. government has not yet officially attributed the campaign.