A critical zero-day authentication bypass vulnerability (CVE-2021-22893) was discovered in Pulse Secure VPN devices and is currently being exploited in the wild.
At least two threat actors have used critical vulnerabilities in Pulse Secure VPN devices to bypass multi-factor authentication safeguards and breach enterprise networks, targeting defense, government, and financial organizations in the United States and elsewhere.
The initial infection vector, according to cybersecurity firm FireEye, is caused by a combination of previous vulnerabilities and CVE-2021-22893, a previously unknown vulnerability discovered in April 2021.
They discovered 12 malware families that are linked to the use of Pulse Secure VPN appliances.
UNC2630 and UNC2717 are two threat clusters that the organization is monitoring. UNC2630 has been linked to a breach of US Defense Industrial Base (DIB) networks, and UNC2717 was discovered in March 2021 targeting a European organization.
The UNC2630 operations have been linked to Chinese government operatives, as well as potential links to another espionage actor, APT5, based on “strong parallels to historic intrusions dating back to 2014 and 2015.”
UNC2630’s attacks are thought to have begun in August 2020, before expanding in October 2020, when UNC2717 began repurposing the same vulnerabilities to install custom malware on government networks in Europe and the United States. Until March 2021, the events continued.
There are a number of malware families on the list.
SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK are all UNC2630 words.
UNC2717 – PULSEJUMP, QUIETPULSE, AND HARDPULSE
STEADYPULSE and LOCKPICK, two other malware strains used during the intrusions, have yet to be linked to a particular group.
The company behind the Pulse Secure VPN, Ivanti, has released temporary mitigations to resolve the arbitrary file execution vulnerability (CVE-2021-22893, CVSS score: 10), with a patch expected to release in May.
The company says that only a small number of customers were affected by the latest bug, and it has since introduced a Pulse Connect Secure Integrity Tool to help customers check for signs of compromise.
When PCS Server version 9.1R.11.4 is available, it is suggested that Pulse Secure customers upgrade.