Multiple U.S. government agencies have been breached by suspected Chinese state-sponsored hackers who exploited vulnerabilities in Pulse Secure LLC virtual private network appliances.

Confirmed by cybersecurity company FireEye Inc. and Pulse Secure itself along with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency, the attacks are believed to have started around June.

Three of the vulnerabilities exploited in the attacks have been previously detected and patched in 2019 and 2020. The fourth vulnerability was discovered this month and affected a very limited number of customers.

That last one has not yet been patched, but Ivanti Inc., the owner of Pulse Secure since December, said it’s working with customers on mitigation strategies until a patch becomes available in early May.

The threat actor is said to be using the access provided by the vulnerabilities to place web shells on the Pulse Connect Secure appliance for further access and persistence. The web shells provide access for a range of functions, including authentication bypass, multifactor authentication bypass, password logging and persistence through patching.

A list of victims was not disclosed. FireEye identified them only as “defense, government and financial organizations around the world,” with a particular focus on the U.S. defense industry.

China has denied being behind the attacks. Chinese Embassy spokesperson Liu Pengyu told Reuters that China “firmly opposes and cracks down on all forms of cyberattacks” and described the allegations as “irresponsible and ill-intentioned.”

“Almost without fail, the common thread with any advanced persistent threat is the exploitation of known vulnerabilities both new and old,” Yaniv Bar-Dayan, chief executive officer and co-founder at cyber remediation orchestration company Vulcan Cyber Ltd., told SiliconANGLE. “Malicious activity, whether using a supply chain vector or a VPN authentication bypass, is thwarted by good cyber hygiene practices and serious blue teaming.

Vishal Jain, co-founder and chief technology officer at cloud network security service provider Valtix Inc., noted that the old adage of “defense in depth” is still pertinent.

“Network security, tied to automatic rule updates for the latest vulnerabilities to guard against ingress infiltration by the way of virtual patching, prevention of lateral movement with east-west controls and data exfiltration with egress controls, will certainly help,” Jain said.

Image: Pulse Secure