VPN flaws allowed Chinese hackers to compromise many of Ivanti’s customers, the report says

In February 2021, the software giant Let me know discovered that Chinese hackers had breached the network of Pulse Secure, one of its subsidiaries that provides VPN equipment to many companies and government agencies around the world. according to a new Bloomberg report.

Hackers used an existing vulnerability in Pulse Secure VPN software to plant a backdoor, Bloomberg said, citing Ivanti’s chief security officer at the time and others. The backdoor allowed the hackers to gain access to 119 other unnamed organizations using the company’s VPN.

Mandiant says it is also aware of the breach, warning Ivanti that hackers used the virus to breach European and US military contracts.

The previously unreported breach is the latest example of how acquisitions, layoffs, and corporate-driven cost cuts helped compromise the capabilities and security of Ivanti’s most critical technology. After the private equity giant Clearlake Capital Group acquired Ivanti in 2017, Bloomberg reported the costs – mostly in 2022 – which affected employees who had deep knowledge of the company’s operations and security.

Ivanti spokeswoman Carrie Laudie denied Bloomberg’s report and said “there is no backdoor planted by hackers at Connect Secure.”

Mandiant did not respond to a request for comment.

Bloomberg’s findings are similar to what was previously reported about remote networking equipment provider, Citrix, which was mass layoffs following a 2022 agreement and Elliott Investment Management and Vista Equity Partners to buy the company. Like Ivanti, Citrix has been surrounded by cybersecurity incidents and big mistakes in recent years.

Ivanti’s VPN tools have been the subject of two more attacks since then.

In early 2024, the US cybersecurity agency CISA ordered all federal agencies to terminate their Ivanti VPN devices within two days because hackers were cleverly exploiting vulnerabilities that Ivanti was unaware of at the time. Ivanti as well warned customers last year that hackers were using another major flaw in the Connect Secure product to hack customers.

This article has been edited to include a comment from Ivanti’s spokesperson, as well as clarification in the second paragraph.