Multiple APT Groups Exploit Critical Pulse Secure Zero-Day

Pulse Secure customers have been urged to take immediate steps to mitigate a critical zero-day vulnerability in the popular VPN platform, after researchers revealed multiple APT groups are targeting it.

CVE-2021-22893 has a CVSS score of 10.0 and is listed as a critical authentication bypass vulnerability in Pulse Connect Secure.

It’s being used in combination with multiple legacy CVEs in the product from 2019 and 2020 to compromise victims in defense, government, financial and other organizations around the world, according to Mandiant.

“Mandiant is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices,” it said in an analysis of one threat group.

“These families are related to the circumvention of authentication and backdoor access to these devices, but they are not necessarily related to each other and have been observed in separate investigations. It is likely that multiple actors are responsible for the creation and deployment of these various code families.”

The Mandiant report covers the activity of UNC2630, believed to be linked to Chinese threat group APT5, against US defense company networks.

The above-mentioned bugs are used to bypass authentication in place on the VPN devices, including multi-factor authentication, allowing the attackers to install webshells for persistence and perform espionage activities.

“We have discovered four issues, the bulk of which involve three vulnerabilities that were patched in 2019 and 2020: Security Advisory SA44101 (CVE-2019-11510), Security Advisory SA44588 (CVE-2020-8243) and Security Advisory SA44601 (CVE-2020-8260). We strongly recommend that customers review the advisories and follow the recommended guidance, including changing all passwords in the environment if impacted,” explained Phil Richards, CSO at Pulse Secure’s new owner, Ivanti.

“There is a new issue, discovered this month, that impacted a very limited number of customers. The team worked quickly to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system. We will be releasing a software update in early May. Visit Security Advisory SA44784 (CVE-2021-22893) for more information.”

Ivanti has also released an integrity checker tool for customers to see if they’ve been impacted by the threat.

Both the UK’s NCSC and US CISA have released emergency guidance on this breaking threat.

Leave a Reply