beebright - stock.adobe.com
A zero-day vulnerability in Pulse Secure VPN appliances is being exploited by threat actors in several attacks on government targets as well as financial organizations and defense contractors.
In an out-of-band advisory Tuesday, Pulse Secure disclosed a vulnerability discovered in its Pulse Connect Secure (PCS) series enables a remote unauthenticated attacker to bypass authentication and execute arbitrary code. The critical vulnerability -- dubbed CVE-2021-22899 -- received a Common Vulnerability Scoring System maximum score of 10 and affects PCS 9.0R3 and higher. Pulse Secure said that while the vulnerability poses a significant risk to customer deployment, only a very limited number of customers are affected.
The risk was significant enough that on Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring federal civilian departments and agencies running Pulse Secure products to "assess and mitigate any anomalous activity or active exploitation detected on their networks." Additionally, Pulse Secure developed an Identity Checker tool for mitigation, which the CISA emergency directive required all affected agencies to use.
While the tool has been released, a final patch to address the vulnerability will not be available until early May. However, the zero-day vulnerability is already being used in several attacks, which were detected by FireEye's Mandiant threat intelligence team.
In response to multiple security incidents involving Pulse Secure VPN appliances, Mandiant threat researchers released a report Tuesday with further details about the new vulnerability and threat actors exploiting it. According to that report, the investigation by Pulse Secure determined that a combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021 are responsible for the initial infection vector. Mandiant said they investigated multiple intrusions early this year at defense, government and financial organizations around the world.
"In each intrusion, the earliest evidence of attacker activity traced back to [Dynamic Host Configuration Protocol] DHCP IP address ranges belonging to Pulse Secure VPN appliances in the affected environment," the report said.
While they were unable to determine how the actors obtained administrator-level access to the appliances, they suspect some intrusions were due to the exploitation of previously disclosed Pulse Secure vulnerabilities dating back to 2019 and 2020, while other intrusions were due to the exploitation of the newer CVE-2021-22899 vulnerability.
FireEye said it observed the threat activity -- which the vendor identified as UNC2630 -- harvesting credentials from various Pulse Secure VPN login flaws, which ultimately enabled the actor to use legitimate account credentials to move laterally into the affected environments. While it is not entirely clear which nation or group the advanced persistent threat (APT) is associated with, the activity does track with another campaign.
"Although we are not able to definitely connect UNC2630 to APT5, or any other existing APT group, a trusted third party has uncovered evidence connecting this activity to historic campaigns which Mandiant tracks as Chinese espionage actor APT5," the report said.
In a joint cybersecurity advisory Thursday, the National Security Agency, FBI and CISA said Russian Foreign Intelligence Service (SVR) actors have frequently used five known vulnerabilities to gain initial footholds into victim devices and networks. One of those vulnerabilities, CVE-2019-11510, is an older flaw also found in Pulse Secure VPN appliances.
A Mandiant spokesperson told SearchSecurity the exploitation of this zero-day is not related to the SVR attacks on CVE-2019-11510.
The spokesperson also said the Identity Checker tool can detect issues related to other recent Pulse Secure vulnerabilities besides the zero-day, including CVE-2019-11510, CVE-2020-8243, CVE-2020-8260 and CVE-2021-22893.
Attacks on VPNs have increased during the COVID-19 pandemic, as evidenced by Thursday's joint advisory where three out of the five vulnerabilities were found in VPNs. Ben Read, director of cyberespionage analysis at Mandiant, said VPNs are valuable targets for cyberespionage groups because they contain valuable information, such as login credentials, and are exposed to the open internet by design.
"In order for VPN appliances to work correctly, they need to be accessible from outside the network," Read said. "However, this fact makes a vulnerability in them especially valuable to a cyberespionage group."