A newly discovered critical zero-day authentication bypass vulnerability (CVE-2021-22893) in Pulse Secure VPN devices is found to be currently exploited in the wild.
At least two threat actors have been behind a series of intrusions targeting defense, government, and financial organizations in the U.S. and elsewhere by leveraging critical vulnerabilities in Pulse Secure VPN devices to bypass multi-factor authentication protections and breach enterprise networks.
The cybersecurity firm FireEye stated that a combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, CVE-2021-22893, are responsible for the initial infection vector.
They have identified 12 malware families associated with the exploitation of Pulse Secure VPN appliances.
The company is also tracking the activity under two threat clusters UNC2630 and UNC2717. UNC2630 is linked to a break-in of U.S. Defense Industrial base (DIB) networks, and UNC2717 was found targeting a European organization in March 2021.
The UNC2630 operations have been attributed to operatives working on behalf of the Chinese government, besides possible ties to another espionage actor APT5 based on “strong similarities to historic intrusions dating back to 2014 and 2015.”
The attacks by UNC2630 are believed to have started as early as August 2020, before they expanded in October 2020, when UNC2717 began repurposing the same flaws to install custom malware on the networks of government agencies in Europe and the U.S. The incidents continued until March 2021.
The list of malware families includes
UNC2630 – SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK
UNC2717 – HARDPULSE, QUIETPULSE, AND PULSEJUMP
Two additional malware strains, STEADYPULSE and LOCKPICK, deployed during the intrusions have not been linked to a specific group.
Ivanti, the company behind the Pulse Secure VPN, has released temporary mitigations to address the arbitrary file execution vulnerability (CVE-2021-22893, CVSS score: 10), while a fix for the issue is expected to be released in May.
The company acknowledged that the new flaw impacted only very few customers and they have also released a Pulse Connect Secure Integrity Tool for customers to check for signs of compromise.
Pulse Secure customers are recommended to upgrade to PCS Server version 9.1R.11.4 when it becomes available.