Defense firms, Government Organization was targeted in Pulse Secure Zero Day Vulnerability
TeamHood
2 min read
Pulse Secure has shared mitigation measures for a zero-day authentication bypass vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance actively exploited in attacks against worldwide organizations and focused on US Defense Industrial base (DIB) networks.
To mitigate the vulnerability tracked as CVE-2021-22893 (with a maximum 10/10 severity score), Pulse Secure advises customers with gateways running PCS 9.0R3 and higher to upgrade the server software to the 9.1R.11.4 release.
As a workaround, the vulnerability can be mitigated on some gateways by disabling Windows File Share Browser and Pulse Secure Collaboration features using instructions available in the security advisory .
Pulse Secure also released the Pulse Connect Secure Integrity Tool to help customers determine if their systems are impacted. Security updates to solve this issue will be released in early May.
Chinese state actors are behind the attack
CVE-2021-22893 was exploited in the wild in conjunction with other Pulse Secure bugs by suspected state-sponsored threat actors to hack the networks of dozens of US and European government, defense, and financial organizations and execute arbitrary code remotely on Pulse Connect Secure gateways.
FireEye suspects that the UNC2630 threat actor is behind these attacks, which is similar to APT 5 group that operates on behalf of the Chinese government, based on “strong similarities to historic intrusions dating back to 2014 and 2015” conducted by APT.
According to the FireEye:
- UNC2630 targeted U.S. DIB companies with SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK as early as August 2020 until March 2021.
- UNC2717 targeted global government agencies between October 2020 and March 2021 using HARDPULSE, QUIETPULSE, AND PULSEJUMP.
“They developed malware that enabled them to harvest Active Directory credentials and bypass multifactor authentication on Pulse Secure devices to access victim networks.
“They modified scripts on the Pulse Secure system which enabled the malware to survive software updates and factory resets. This tradecraft enabled the actors to maintain access to victim environments for several months without being detected.”
UNC2630’s primary goals are to maintain long-term access to networks, collect credentials, and steal proprietary data, according to Carmakal.
