Pulse Secure shared mitigation measures for zero-day vulnerability called CVE-2021-22893, arose in Pulse Connect Secure (PCS) SSL VPN appliance and exploited in attacks against worldwide organizations.
As per the mitigation, Pulse says the customers should upgrade their gateways to the 9.1R.11.4 release. The vulnerability can be mitigated in some gateways by disabling the Windows File Share Browser and Pulse Secure Collaboration feature.
Customers who want to know if their systems are infected can use the Pulse Connect Secure Integrity Tool released by Pulse Secure. For the security updates to solve this issue, they have to wait for the May release.
This vulnerability was exploited in the wild by suspected state-sponsored threat actors. They hack the network of dozens of US and European government, defense and financial organization and execute arbitrary code on pulse connect secure gateways remotely.
Cyber-security firm FireEye traced at least of these actors as UNC2630 and UNC2717 and deployed total 12 malware strains in the attack.
The cybersecurity firm suspected that UNC2630 have a connection with APT5 that operate on behalf of Chinese government.
“Although we are not able to definitively connect UNC2630 to APT5, or any other existing APT group, a trusted third party has uncovered evidence connecting this activity to historic campaigns which Mandiant tracks as Chinese espionage actor APT5,” FireEye said.
“While we cannot make the same connections, the third party assessment is consistent with our understanding of APT5 and their historic TTPs and targets.”
As per FireEye:
- UNC2630 targeted U.S. DIB companies as early as August 2020 until March 2021 with SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK.
- UNC2717 targeted global government with HARDPULSE, QUIETPULSE, AND PULSEJUMP between October 2020 and March 2021.
Charles Carmakal, FireEye Mandiant SVP and CTO told, “These actors are highly skilled and have deep technical knowledge of the Pulse Secure product”.
“They developed malware that enabled them to harvest Active Directory credentials and bypass multifactor authentication on Pulse Secure devices to access victim networks.
“They modified scripts on the Pulse Secure system which enabled the malware to survive software updates and factory resets. This tradecraft enabled the actors to maintain access to victim environments for several months without being detected.”
According to Carmakal, the main aim of the UNC2630 is to maintain long-term access to networks, collect credentials, and steal proprietary data.
Currently, there is no enough evidence that these threat actors have introduced any backdoors through supply chain compromise of Pulse Secure’s network or software deployment process.