On April 20, 2021, US-CERT issued an alert warning about an ongoing malicious campaign abusing vulnerable Pulse Connect Secure products to attack organizations across the US. The campaign broke forth in June 2020 and involved multiple security incidents affecting government agencies, critical infrastructure assets, and private sector organizations. Threat actors rely on a set of known flaws in Pulse Connect Secure to gain initial access and place webshells onto compromised instances. These webshells are further used for password logging, single and multifactor authentication bypass, and persisting across the upgrades.
According to US-CERT, threat actors leverage a set of four bugs affecting Pulse Connect Secure products. The list includes three older vulnerabilities allowing actors to perform arbitrary code execution (CVE-2020-8243, CVE-2020-8260) and arbitrary file read (CVE-2019-11510). All these security holes have been earlier disclosed and fully patched by the vendor within the last two years.
Also, attackers leverage a recently discovered flaw (CVE-2021-22893), which according to Ivanti, the vendor company, impacts a very limited number of customers. It is an authentication bypass bug that allows unauthenticated adversaries to perform arbitrary file execution on the Pulse Connect Secure gateway. This flaw is rated critical and obtains a CVSS score of 10.0. Although Ivanti has already released a temporary workaround to mitigate the possible negative effects of the security issue, the full patch won’t be available earlier than May 2021.
Security researchers from FireEye are currently tracking at least 12 malware families being distributed with the help of the above-mentioned flaws. Most of the nefarious samples are unrelated to each other and were disclosed in separate inquiries. Therefore, security experts state with a high level of confidence that multiple hacker groups are involved in Pulse Connect Secure abuse.
Notably, a part of the revealed malicious activity was attributed to a Chinese government-backed APT group that targeted Defense Industrial Base and European institutions during August 2020 – March 2021. Additionally, FireEye tracks the notorious activity of another advanced persistent threat whose attribution is currently undetermined. This actor was involved in multiple attacks leveraging Pulse Connect Secure vulnerabilities against global government agencies between October 2020 – March 2021.
All Pulse Connect Secure users are urged to check if their appliances are fully patched and upgraded. Ivanti has released a dedicated blog post detailing the vulnerabilities under fire and providing the mitigation steps. Additionally, the vendor has recently produced the Pulse Security Integrity Checker Tool allowing customers to evaluate their installations and check if they are experiencing any security issues.
To enhance the proactive defense against ongoing attacks, the SOC Prime Team, in collaboration with our Threat Bounty developers, has released a set of Sigma rules aimed at Pulse Connect Secure vulnerabilities detection.
Possible Pulse Connect Secure RCE Vulnerability Exploitation 2021 [CVE-2021-22893] (via web)
Pulse Connect Secure Attack [CVE-2019-11510]
Also, you might check the full list of detections covering Pulse Connect Secure flaws in Threat Detection Marketplace. All fresh detection content will be added to this article, so stay tuned to our blog not to miss further updates.
Subscribe to Threat Detection Marketplace for free and reach 100K+ queries, parsers, SOC-ready dashboards, YARA and Snort rules, Machine Learning models, and Incident Response Playbooks mapped to CVE and MITRE ATT&CK® frameworks. Eager to join threat hunting initiatives and develop your own Sigma rules? Join our Threat Bounty Program!