Chinese APT exploits critical CVE in Pulse Secure VPN

Users of Pulse Secure VPN are being urged to patch a newly disclosed authentication bypass zero-day that enables an unauthenticated user to perform remote arbitrary file execution on the Pulse Secure Connect gateway – and is already being exploited.

CVE-2021-22893 carries a critical CVSS rating of 10 but can be mitigated for the time being by downloading a workaround from Pulse Secure. A full patch will not be available until at least the beginning of May.

Phil Richard, chief security officer at Ivanti, which acquired Pulse Secure in 2020, said: “The Pulse Connect Secure [PCS] team is in contact with a limited number of customers who have experienced evidence of exploit behaviour on their PCS appliances. The PCS team has provided remediation guidance to these customers directly.   

“The new issue, discovered this month, impacted a very limited number of customers. The team worked quickly to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system.”

Richard also described ongoing attempts to exploit appliances which, through lack of end-user attention, remain vulnerable to three other issues – CVE-2019-11510, CVE-2020-8243 and CVE-2020-8260, all of which have been patched disclosed and patched within the past two years. Users are encouraged to review the firm’s previous advisories and follow the guidance, including changing all passwords within the environment, if impacted.

“Customers are also encouraged to apply and leverage the efficient and easy-to-use Pulse Secure Integrity Checker Tool to identify any unusual activity on their system. For more information, visit the Pulse Secure Blog,” said Richard.

FireEye’s Mandiant said it had already been responding to incidents at customers whose VPN appliances have been compromised, and has been working closely with Pulse Secure on the disclosure.

Charles Carmakal, SVP and CTO at Mandiant, said: “Through the course of our investigations, we learned that a zero-day and other known vulnerabilities in the VPN solution were exploited to facilitate intrusions across dozens of organisations, including government agencies, financial entities and defence companies in the United States and abroad. We suspect these intrusions align with data and intelligence collection objectives by China.”

Carmakal said the advanced persistent threat (APT) group involved – dubbed UNC2360 – was highly skilled and had deep technical knowledge of Pulse Secure’s product. The group has developed novel malware that enables it to bypass multifactor authentication on affected devices to access target networks and modify scripts on the Pulse Secure system to allow the malware to evade software updates or hard resets. This has enabled the group to maintain persistence within their victims, probably for some time.

“Their primary goals are maintaining long-term access to networks, collecting credentials and stealing proprietary data,” he added.

Carmakal stressed that there was no evidence of any supply chain compromise of Ivanti’s network or software.

More information on the vulnerability, as well as details of the novel malware uncovered, Slowpulse, is available from Mandiant.