back to article China broke into govt, defense, finance networks via zero-day in Pulse Secure VPN gateways? No way

Dozens of defense companies, government agencies, and financial organizations in America and abroad appear to have been compromised by China via vulnerabilities in their Pulse Connect Secure VPN appliances – including a zero-day flaw that won't be patched until next month. On Tuesday, IT software supplier Ivanti, the parent of …

  1. Pascal Monett Silver badge

    "the Biden administration on Tuesday announced a 100-day plan to improve [,,] cybersecurity"

    Is it me, or are we suddenly no longer hearing about the importance of backdooring encryption ?

    1. Claptrap314 Silver badge

      Re: "the Biden administration on Tuesday announced a 100-day plan to improve [,,] cybersecurity"

      Find me an AG that's not calling for it, and I'll find you an elephant with donkey ears.

      EVERY AG has called for it since Janet Reno (Bill Clinton). And the only reason that it started then was because civilian encryption really was not a thing until then.

      This is NOT a partisan issue. If you make it one, then sooner or later, the other part will be in charge & force-feed you the Kool-aid.

      So, you're not only wrong, you're dangerously wrong.

    2. DS999 Silver badge

      Re: "the Biden administration on Tuesday announced a 100-day plan to improve [,,] cybersecurity"

      Wait until the next terrorist attack, the FBI will trot out the same arguments it has used for 25 years. I'm surprised we haven't heard it about the Jan. 6 insurrection yet, but I wouldn't rule that out. Identifying who was there by all the photos/video posted everywhere has been the easy part, proving advance planning will be a lot harder since a lot of it will have taken place via encrypted messaging. Even if incriminating stuff wasn't deleted before they were eventually arrested, the FBI may have trouble gaining access to seized devices or messaging apps may have a second level of encryption.

      Now that they have reportedly flipped a founding member of the Oath Keepers they'll no doubt get plenty of insider details from the group that provided "security" for Roger Stone on the 6th. But if the FBI found something they wanted to back up his claims with electronic evidence, they'll only have the flipper's end of encrypted communications - and that assumes he hadn't deleted it prior to his decision to flip. If for example he fingered Roger Stone or Rudy Guliani as having been involved in planning that day, and the FBI thinks hard evidence proving it is hiding behind encryption or devices they can't break, we'll be treated to another round of "we need backdoors for law enforcement".

  2. HildyJ Silver badge
    FAIL

    Again

    While there is no mechanism to prevent zero days, Secure VPN had patched severe vulnerabilities years ago and they were still being exploited today because some companies (and, possibly, governments) ignored the warnings and the patches.

    Too many companies and governments are unwilling to devote time and money to security. As a result, its happened again and will happen again in the future.

    I wonder how many intelligence agencies knew of this vulnerability? I assume Pulse Secure VPN is on all their target lists. The second attack against Europe might have been Russia but, given its history, it could also have been the NSA.

    1. teknopaul Silver badge

      Re: Again

      China hacks usa, nsa hacks China.

      The interesting part of this is use of Pulse VPN. Which is essentially walking in through the front door.

      Using well knows tricks.

      With security guards asleep.

      Repeatedly.

      After asking Microsoft.com for permission.

      Putting the fa in 2fa. :)

  3. Anonymous Coward
    Anonymous Coward

    It has become standard procedure

    for companies to put the blame on powerfull state-sponsored actors in order to deflect attention from their crap security. Just take a look a SolarWinds "Russia did it" justification that conveniently hides the fact they were using hilariously weak passwords and never bothered to have adequate security controls in place (I am fully aware this is not a reason to hack their systems). I'm not saying Russian hackers did not do it, but going straight to Kremlin each time this happens becomes tiresome after a while.

    1. martinusher Silver badge

      Re: It has become standard procedure

      >but going straight to the Kremlin each time this happens becomes tiresome after a while.

      Its also subtly pushing the idea of a opaque nest of villianry that is all knowing, all seeing, all capable and ready to instantly exploit any and every vulnderability. Leaving aside the notion that if you leave the door open then literally anyone and anything will walk in, state sponsored or not, the idea that government in other countries is signiifcantly more capable and competent than governemtn in our own country is plain ludicrous.

      There's ample evidence to suggest that spooks -- the vairous intelliegence agencies -- live in a world entirely of their own invention. A cyber version of "Spy vs Spy", perhaps?

    2. LDS Silver badge

      Re: It has become standard procedure

      It's not the entry vector, but the sophistication of what is performed later. They didn't install a ransomware to make some quick bitcoins.

  4. Claptrap314 Silver badge

    FireEye?

    Where have I heard that name before? Around here? Hmm...

  5. Greybeard_ITGuy

    I feel so much safer now...

    "Coincidentally, the Biden administration on Tuesday announced a 100-day plan to improve the cybersecurity of US electric infrastructure, part of its broader commitment to shore up cybersecurity across multiple sectors."

    Suddenly we will all be safer because the government is here to help. /s

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022