Aggressors exploit Pulse Secure Virtual Private Networks to focus their assaults on the defense and financial sectors
In a series of recent threats, attackers have been exploiting vulnerabilities in Pulse Secure VPN devices, targeting the U.S. defense industry, financial organizations, and overseas targets, including Europe.
Stephen Eckels, a reverse engineer at Mandiant, has stated that these attacks often involve exploiting 2019 vulnerabilities on unpatched systems. However, attackers have also demonstrated the capability to compromise fully patched systems at a limited number of high-value targets.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive this week, warning federal agencies to mitigate exposure to Pulse Connect Secure vulnerabilities. All organizations running Pulse Secure devices are advised to follow the steps outlined in the CISA Activity Alert and Emergency Directive to identify potential intrusions and run the Integrity Checker.
CISA is aware of 24 agencies running Pulse Connect Secure devices, but it's too early to determine conclusively how many have actually had the vulnerability exploited. Users are encouraged to report any hash mismatches or newly detected files to the vendor and to CISA to help understand the extent of exposure in both the private and public sectors.
The threat activity is linked to four vulnerabilities: CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and a newly discovered vulnerability CVE-2021-22893. Researchers at Mandiant are tracking 12 malware families linked to the attacks on Pulse Secure VPN devices.
The Pulse Connect Secure team has provided remediation guidance to customers who have experienced evidence of exploit behavior on their PCS appliances. Officials at Ivanti, the parent company of Pulse Secure, have also been working with customers on the latest series of attacks.
The Department of Defense is assessing the potential impact to the Defense Information Network. No specific details were provided about the number or identity of the high-value targets compromised by the attackers, nor about the nature or extent of the data breaches or potential damage caused by the attacks on Pulse Secure VPN devices.
The threat actor is installing webshells onto Pulse Secure devices to bypass authentication, multifactor authentication, password logging, and persistence through patching. The CVE-2021-22893 security vulnerability in Pulse Secure VPN devices was discovered by researchers from Mandiant.
It's crucial for all organizations to take immediate action to secure their Pulse Secure VPN devices and mitigate the risk of attacks by April 23, as urged by CISA. This serves as a reminder of the importance of regular system updates and vigilance in the face of cyber threats.
