US cybersecurity authorities last week ordered all federal agencies to fix software flaws exploited by hackers. These are believed to be linked to foreign governments.
"These vulnerabilities pose an unacceptable risk to federal network security," said Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), in a statement. CISA's "emergency directive" gives agencies five days to update the vulnerable software, or as a last resort, remove it completely from their networks. It does not apply to Pentagon computer networks, which are not under CISA's jurisdiction.
The vulnerabilities in question are found in a type of software made by VMware, whose products are widely used in the US government. On April 6, the California-based technology giant issued a fix for software flaws that would allow hackers not only to access files remotely, but also to install themselves on the network itself. Two days after the patch was released, hackers discovered an alternative way to break into computers using the vulnerabilities, according to CISA. This event forced VMWare to release software updates to plug these newly discovered vulnerabilities, which CISA ordered the agencies to address.
The agency did not identify the hackers or which systems they served as.
As a rule, CISA officials use their emergency authority to force agencies to fix serious software flaws when spies or criminals might attack their security. In the last 3 years, this agency has used its resources 10 times, including in response to the so-called SolarWinds " hackingcampaign", believed to have been carried out by Russian agents. This went unnoticed by the American authorities for a long time, resulting in a security breach of at least nine federal agencies, including those dealing with national security, such as the departments of Homeland Security and Justice.
https://edition.cnn.com/2022/05/18/politics/software-bug-warning-vmware/index.html
