Attackers are exploiting zero-day in Pulse Secure VPNs to breach orgs (CVE-2021-22893)

Attackers have been exploiting several old and one zero-day vulnerability (CVE-2021-22893) affecting Pulse Connect Secure (PCS) VPN devices to breach a variety of defense, government, and financial organizations around the world, Mandiant/FireEye has warned on Tuesday.

Phil Richards, the Chief Security Officer at Ivanti – the company that acquired Pulse Secure in late 2020 – said that the zero-day vulnerability “impacted a very limited number of customers,” and that the software updates plugging the flaw will be released in early May.

In the meantime, they’ve offered some workarounds that can mitigate the risk of exploitation of that particular vulnerability, as well as a tool that can help defenders check if their systems have been affected.

The attackers’ modus operandi

According to Mandiant/FireEye, several threat actors have been exploiting the four PCS flaws and using 12 malware families to circumvent authentication and gain backdoor access to the targeted devices.

One of these (UNC2630) is believed to operate on behalf of the Chinese government and is possibly connected to APT5 (aka Manganese). Another (UNC2717) could not be definitely tied to a government or known APT group.

“We observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance,” FireEye researchers shared.

That allowed them to:

• Trojanize shared objects with malicious code to log credentials and bypass authentication flows
• Inject webshells into Internet-accessible Pulse Secure VPN appliance administrative web pages for the devices
• Toggle the filesystem between Read-Only and Read-Write modes so they can make modifications
• Maintain persistence on the appliances despite upgrades
• Unpatch modified files and delete utilities and scripts after use to evade detection
• Clear log files

The attackers have been at it since August 2020 and up until March 2021.

The exploited vulnerabilities

The attackers have been leveraging three previously known, exploited and already patched vulnerabilities in Pulse Connect Secure VPN devices: CVE-2019-11510, CVE-2020-8243 and CVE-2020-8260.

CVE-2019-11510 is a critical arbitrary file disclosure vulnerability that can be exploited by unauthenticated attackers. CVE-2020-8243 is a code injection flaw, CVE-2020-8260 is an unrestricted file upload vulnerability, and both require authentication prior to exploitation.

Not much has been shared about the zero-day (CVE-2021-22893), aside from it being an authentication bypass vulnerability that, given the highest awarded CVSSv3 score, is likely exploitable by a remote, unauthenticated attacker, requires no user interaction, and allows arbitrary code execution.

“Because it is a zero-day and the timetable for the release of a patch is not yet known, CVE-2021-22893 gives attackers a valuable tool to gain entry into a key resource used by many organizations, especially in the wake of the shift to the remote workforce over the last year,” noted Scott Caveza, Research Engineering Manager, Tenable.

“Attackers can utilize this flaw to further compromise the PCS device, implant backdoors and compromise credentials. While Pulse Secure has noted that the zero-day has seen limited use in targeted attacks, it’s just a matter of time before a proof-of-concept becomes publicly available, which we anticipate will lead to widespread exploitation, as we observed with CVE-2019-11510.”

Mitigation, remediation, and incident response

The vulnerability affects Pulse Connect Secure 9.0R3 and higher. The company has said that fixes for CVE-2021-22893 will be released in early May and that, until that moment, enterprise admins can implement a workaround: an .xml file that disables the appliance’s Windows File Share Browser and Pulse Secure Collaboration features.

In addition to this, they have released the Pulse Connect Secure Integrity Tool, which helps administrator check the integrity of the appliances’ file system and find additional or modified files. They also offered additional advice for impacted organizations.

“Organizations should examine available forensic evidence to determine if an attacker compromised user credentials. Ivanti highly recommends resetting all passwords in the environment and reviewing the configuration to ensure no service accounts can be used to authenticate to the vulnerability,” Mandiant/FireEye researchers noted.

The U.S. CISA has released an emergency directive ordering federal agencies to enumerate all instances of Pulse Connect Secure virtual and hardware appliances hosted by the agency or a third party on the agency’s behalf, and to deploy and run the latest version of the Pulse Connect Secure Integrity Tool on each of those instances. They offer specific guidance depending on the tool’s findings, as well as additional technical details and mitigation advice.