Pulse Secure has shared mitigation measures for a zero-day authentication bypass vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance actively exploited in attacks against worldwide organizations and focused on US Defense Industrial base (DIB) networks.
To mitigate the vulnerability tracked as CVE-2021-22893 (with a maximum 10/10 severity score), Pulse Secure advises customers with gateways running PCS 9.0R3 and higher to upgrade the server software to the 9.1R.11.4 release.
As a workaround, the vulnerability can be mitigated on some gateways by disabling Windows File Share Browser and Pulse Secure Collaboration features using instructions available in the security advisory published earlier today.
Pulse Secure also released the Pulse Connect Secure Integrity Tool to help customers determine if their systems are impacted. Security updates to solve this issue will be released in early May.
The Pulse Connect Secure (PCS) team is in contact with a limited number of customers who have experienced evidence of exploit behavior on their PCS appliances. The PCS team has provided remediation guidance to these customers directly.
The investigation shows ongoing attempts to exploit four issues: The substantial bulk of these issues involve three vulnerabilities that were patched in 2019 and 2020: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/">Security Advisory SA44101 (CVE-2019-11510), https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588">Security Advisory SA44588 (CVE- 2020- 8243) and https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601">Security Advisory SA44601 (CVE- 2020- 8260). Customers are strongly recommended to review the advisories and follow the guidance, including changing all passwords in the environment if impacted.The new issue, discovered this month, impacted a very limited number of customers. The team worked quickly to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system. PCS will issue a software update in early May. Visit https://kb.pulsesecure.net/pkb_mobile#article/l:en_US/SA44784/s">Security Advisory SA44784 (CVE-2021-22893) for more information.Customers are also encouraged to apply and leverage the efficient and easy-to-use Pulse Secure Integrity Checker Tool to identify any unusual activity on their system. – Pulse Connect Secure
Chinese-backed state hackers likely behind attacks
CVE-2021-22893 was exploited in the wild in conjunction with other Pulse Secure bugs by suspected state-sponsored threat actors to hack the networks of dozens of US and European government, defense, and financial organizations and execute arbitrary code remotely on Pulse Connect Secure gateways.
At least two threat actors tracked as UNC2630 and UNC2717 by cybersecurity firm FireEye have been deploying 12 malware strains in these attacks.
FireEye also suspects that the UNC2630 threat actor may have ties to APT5, a known APT group that operates on behalf of the Chinese government, based on “strong similarities to historic intrusions dating back to 2014 and 2015” conducted by APT5.
“Although we are not able to definitively connect UNC2630 to APT5, or any other existing APT group, a trusted third party has uncovered evidence connecting this activity to historic campaigns which Mandiant tracks as Chinese espionage actor APT5,” FireEye said.
“While we cannot make the same connections, the third party assessment is consistent with our understanding of APT5 and their historic TTPs and targets.”
According to the FireEye:
- UNC2630 targeted U.S. DIB companies with SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK as early as August 2020 until March 2021.
- UNC2717 targeted global government agencies between October 2020 and March 2021 using HARDPULSE, QUIETPULSE, AND PULSEJUMP.
“These actors are highly skilled and have deep technical knowledge of the Pulse Secure product,” Charles Carmakal, FireEye Mandiant SVP and CTO, said.
“They developed malware that enabled them to harvest Active Directory credentials and bypass multifactor authentication on Pulse Secure devices to access victim networks.
“They modified scripts on the Pulse Secure system which enabled the malware to survive software updates and factory resets. This tradecraft enabled the actors to maintain access to victim environments for several months without being detected.”
UNC2630’s primary goals are to maintain long-term access to networks, collect credentials, and steal proprietary data, according to Carmakal.
At the moment, there is no evidence that these threat actors have introduced any backdoors through a supply chain compromise of Pulse Secure’s network or software deployment process.