Over the past few months, several cyberespionage groups, including one believed to be tied to the Chinese government, have been breaking into the networks of organizations from the United States and Europe by exploiting vulnerabilities in VPN appliances from zero-trust access provider Pulse Secure. Some of the flaws date from 2019 and 2020, but one was unknown until this month.
“Mandiant is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices,” researchers from Mandiant, the MDR and incident response arm of security vendor FireEye, said in a newly released report. “These families are related to the circumvention of authentication and backdoor access to these devices, but they are not necessarily related to each other and have been observed in separate investigations. It is likely that multiple actors are responsible for the creation and deployment of these various code families.”
Pulse Secure VPN zero-day vulnerability
While investigating breaches this year at various defense, government and financial organizations from around the world, the Mandiant team kept finding malicious activity in the compromised environments tracing back to their Pulse Secure VPN appliances where hackers had obtained administrative access. The experts couldn’t determine how the hackers gained administrative credentials, so it contacted Pulse Secure and its parent company Ivanti. Their investigation concluded that the attackers were likely using known vulnerabilities found and patched over the past two years, but also a previously unknown one.
Tracked as CVE-2021-22893, the flaw allows attackers to bypass authentication on the Pulse Connect Secure (PCS) VPN solution and execute arbitrary code. The vulnerability is rated critical with a severity score of 10 on the CVSS scale. A patch for the issue will be included in version 9.1R.11.4 of the PCS server, which has not been released yet. Until then, the company provided a workaround in the form of an .xml configuration file that can be imported into the appliance. The file will disable the Windows File Share Browser and Pulse Secure Collaboration features of the appliance to block the…