Threat Group Actively Exploiting Pulse Connect Secure Vulnerabilities and Also New Zero-Day Vulnerability

The latest advisory from the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) reported that one or more threat group is exploiting vulnerabilities identified in Ivanti’s Pulse Connect Secure devices. Though there is no formal attribution, certain security researchers had associated the threat actor with China. Targets of attacks are government, security, finance, and critical infrastructure institutions.

FireEye has been keeping track of the malicious activity and claims that no less than 12 malware families were used in cyberattacks taking advantage of the vulnerabilities starting August 2020. These attacks included the collection of credentials to permit lateral movement in victim systems and the usage of scripts and the substitution of files to obtain persistence.

Various entities have at this point affirmed that they experienced attacks after they discovered malicious activity in the Pulse Connect Secure Integrity Device. Access to Pulse Connect Secure appliance was obtained by exploiting a number of vulnerabilities which include three vulnerabilities that were exposed in 2019 and 2020 and one fairly recently spotted zero-day vulnerability. Patches were offered for a number of months to correct the first three vulnerabilities – CVE-2020-8260, CVE-2020-8243, and CVE-2019-11510; nonetheless, a patch has not been made available to fix the recently exposed zero-day vulnerability – CVE-2021-22893.

The CVE-2021-2893 authentication bypass vulnerability has been given the max CVSS vulnerability severity rating of 10/10. Ivanti posted a security alert concerning the new vulnerability last April 20, 2021. An unauthenticated attacker exploiting the vulnerability will be able to remotely implement arbitrary code inside the Pulse Connect Secure Gateway. The vulnerability is assumed to be exploitable by distributing a specially-created HTTP request to an unprotected device, even though this is not yet verified by Ivanti. The vulnerability is affecting Pulse Connect Secure 9.0R3 and later versions.

Threat actors are taking advantage of the vulnerabilities to add web shells in vulnerable Pulse Secure VPN appliances. The web shells enable the threat group to circumvent authentication and even multi-factor authentication controls, sign-in passwords and acquire persistent access to the device even after applying patches.

Ivanti and CISA firmly prescribe all users of the unsecured Pulse Connect Secure devices to use the patches promptly to avert exploitation and to use the mitigations lately shared by Ivanti to lessen the threat of exploiting the CVE-2021-22893 vulnerability until the launch of a patch. The workaround entails taking away two Pulse Connect Secure functions – Windows File Share Browser and Pulse Secure Collaboration – which may be accomplished by adding the workaround – 2104.xml file. A patch is estimated to be launched to resolve the CVE-2021-22893 in May 2021.

Considering that patching won’t block unauthorized access when the vulnerabilities are already exploited, CISA ardently advises employing the Pulse Connect Secure Integrity Tool to check out if the vulnerabilities were already taken advantage of.

CISA has released an urgent instruction necessitating all federal bureaus to record all cases of Pulse Connect Secure virtual and hardware appliances, set up and operate the Pulse Connect Secure Integrity Tool to determine malicious activity and implement the mitigation versus CVE-2021-22893. The actions ought to be done by 5 pm Eastern Daylight Time on April 23, 2021.