Pulse Secure Vulnerability Used to Hack Government Organizations
The Vulnerability Is Including an Authentication By-Pass Able to Allow an Unauthenticated User to Perform Remote Arbitrary File Execution on the Pulse Connect Secure Gateway.
A vulnerability was discovered under Pulse Connect Secure (PCS). Called CVE-2021-22893, the vulnerability has a 10/10 critical CVSS score and poses a significant deployment risk.
In order to mitigate the vulnerability, Pulse Secure is advising the customers with gateways running PCS 9.0R3 and higher to upgrade the server software to the 9.1R.11.4 release.
A workaround also exists, therefore the vulnerability could be mitigated on some gateways by disabling Windows File Share Browser and Pulse Secure Collaboration features using instructions available in the security advisory published earlier today.
In order to help their customers find out if their systems were impacted, Pulse Secure also released the Pulse Connect Secure Integrity Tool.
The Pulse Secure team recently discovered that a limited number of customers have experienced evidence of exploit behavior on their Pulse Connect Secure (PCS) appliances. We are sharing information about the investigation and our actions through several communications channels in the best interests of our customers and the greater security community.
The team has been working proactively with leading forensic experts and industry groups, including Mandiant/FireEye, CISA and Stroz Friedberg, among others, to investigate and respond to the exploit behavior.
We have discovered four issues, the bulk of which involve three vulnerabilities that were patched in 2019 and 2020: Security Advisory SA44101 (CVE-2019-11510), Security Advisory SA44588 (CVE-2020-8243) and Security Advisory SA44601 (CVE-2020-8260). We strongly recommend that customers review the advisories and follow the recommended guidance, including changing all passwords in the environment if impacted.
The vulnerability in question was previously exploited in the wild together with other Pulse Secure bugs. Cybersecurity company FireEye suspects that UNC2630 and UNC2717 have been deploying 12 malware strains in these attacks, with UNC2630 threat actor having possible ties to APT5, a known APT group operating on behalf of the Chinese government.
Heimdal® Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
At this time, there is no evidence that the threat actors have placed any backdoors through a supply chain attack of Pulse Secure’s network or software deployment process.