State hackers have recently exploited the leak in Pulse Secure VPN software, claiming intelligence services AIVD and MIVD. The leak came to light in March of last year and a patch followed a month later, but many companies did not implement the patch for a long time.
It is unknown which countries exploit the vulnerability. Because of the abuse of the leak by state hackers, AIVD and MIVD have “advised companies and organizations on resilience-enhancing measures,” said Minister of Security and Justice Ferd Grapperhaus in a letter to Parliament. Until now it was known that there were exploits for the Pulse Secure leak, but until now it seemed that only criminals were exploiting the leak.
It is unclear how the intelligence services discovered that state hackers are abusing the leak and what the consequences have been. Pulse Secure provides VPN software to hundreds of Dutch companies and government organizations. The ransomware at GWK Travelex from the end of last year would have arrived via the leak at Pulse Secure.
In October, the National Cyber Security Center also warned that many companies were still using the vulnerable VPN connection. In September de Volkskrant wrote that hundreds of Dutch companies, including Shell, defense contractors, and DPG Media had not yet implemented the patch to close the leak.