On Tuesday, April 20, 2021, security firm FireEye published detailed analysis of multiple threat campaigns targeting Ivanti’s Pulse Connect Secure VPN. According to FireEye’s analysis, threat actors have been leveraging multiple techniques to bypass single- and multi-factor authentication on Pulse Secure VPN devices, establish persistence across updates, and maintain access via webshells. The focus of the analysis is on threats to U.S. defense networks, but Pulse Secure devices are also a perennially popular target for exploitation across a broad range of organizations’ networks.
While some of the intrusions FireEye is tracking were attributed to exploitation of older Pulse Secure vulnerabilities, threat actors have evidently also been using CVE-2021-22893, a previously unknown zero-day vulnerability, in combination with older vulns to harvest credentials, move laterally within target environments, and persist using legitimate but modified Pulse Secure binaries and scripts on VPN appliances. For full findings of FireEye’s investigation, including an extensive list of IOCs and ATT&CK techniques, we highly recommend reading their blog post here.
Actively exploited zero-day: CVE-2021-22893
Pulse Secure released an out-of-band security advisory Tuesday on CVE-2021-22893, a critical authentication bypass that allows remote, unauthenticated attackers to execute arbitrary code. The vulnerability affects versions 9.0R3 and higher of Pulse Connect Secure devices and carries a CVSSv3 base score of 10. There is no patch available—FireEye’s post indicated a “final” patch will be released in May—but Pulse Secure released a workaro ..
Support the originator by clicking the read the rest link below.
){kind=link}