Threat Actor Actively Exploiting Pulse Connect Secure Vulnerabilities Including New Zero-Day Vulnerability

A recent alert from the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) stated that at least one threat group is exploiting vulnerabilities found in Ivanti’s Pulse Connect Secure products. Although there is no official attribution, a number of security researchers had linked the threat actor with China. Targets of attacks included government, defense, financial, and critical infrastructure agencies.

FireEye has been monitoring the malicious activity and states that about 12 malware families have been involved in cyberattacks taking advantage of the vulnerabilities beginning August 2020. These attacks involved the mining of credentials to permit lateral movement inside victim networks and using scripts and replacing files to gain persistence.

A number of entities have already confirmed that they suffered attacks after they detected malicious activity with the Pulse Connect Secure Integrity Tool. Access to Pulse Connect Secure appliance was acquired by exploiting several vulnerabilities such as three vulnerabilities that were disclosed in 2019 and 2020 and one lately spotted zero-day vulnerability. Patches were already available for a few months to resolve the first three vulnerabilities – CVE-2020-8260, CVE-2019-11510, and CVE-2020-8243; nevertheless, a patch has yet to be accessible to fix the lately exposed zero-day vulnerability – CVE-2021-22893.

The CVE-2021-2893 authentication bypass vulnerability has gotten the highest CVSS vulnerability severity score of 10/10. Ivanti released a security warning regarding the new vulnerability on April 20, 2021. An unauthenticated attacker exploiting the vulnerability can remotely execute arbitrary code within the Pulse Connect Secure Gateway. The vulnerability is thought to be exploitable by transmitting a specially designed HTTP request to an unsecured device, though this is not yet confirmed by Ivanti. The vulnerability impacts Pulse Connect Secure 9.0R3 and higher versions.

There is one threat group taking advantage of the vulnerabilities and placing web shells in vulnerable Pulse Secure VPN appliances. Because of the web shells, the threat group will be able to avoid authentication as well as multi-factor authentication controls, login passwords and obtain persistent access to the appliance even after the application of patches.

Ivanti and CISA firmly recommend all users of the unsecured Pulse Connect Secure devices to use the patches right away to avoid exploitation and to implement the mitigations recently released by Ivanti to minimize the risk of exploitation of the CVE-2021-22893 vulnerability until the release of a patch. The workaround involves removing two Pulse Connect Secure capabilities – Windows File Share Browser and Pulse Secure Collaboration – which could be realized by importing the workaround – 2104.xml file. A patch is predicted to be introduced to resolve the CVE-2021-22893 in May 2021.

Because patching can’t block unauthorized access in case the vulnerabilities have been exploited, CISA ardently recommends utilizing the Pulse Connect Secure Integrity Tool to see whether the vulnerabilities were already exploited.

CISA has given an emergency directive requiring all federal institutions to list all instances of Pulse Connect Secure virtual and hardware appliances, deploy and run the Pulse Connect Secure Integrity Tool to find malicious activity, and implement the mitigation against CVE-2021-22893. The actions should be taken by 5 pm Eastern Daylight Time on April 23, 2021.