DHS CISA: Critical Pulse Secure VPN Vulnerabilities Under Active Attack
Ivanti issued mitigation measures for a zero-day authentication bypass vulnerability in its Pulse Secure SSL VPN appliance, which DHS CISA warns is under active attack.
By - The Department of Homeland Security Cybersecurity and Infrastructure Security Agency issued an alert that warned critical, zero-day vulnerabilities in certain Ivanti Pulse Connect Secure SSL VPNs are under attack, including those owned by critical infrastructure, private sector, and government entities.
Threat actors are exploiting multiple vulnerabilities found in certain Pulse Connect Secure appliances: CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and the newly disclosed CVE-2021-22893. Patches were issued for the first three flaws in 2019 and 2020, but some organizations have failed to apply the software updates.
A successful exploit allows the attacker to install webshells onto the devices to proliferate across connected devices and maintain persistence on the network. The known webshells enable a host of nefarious activities, such as authentication bypass, multi-authentication bypass, password logging, and persistence through patching.
The attacks began around June 2020, and threat actors have already successfully compromised government agencies, critical infrastructure entities, and private sector networks. CISA efforts have supported those victims with recovery, which confirmed the initial access was gained through the Pulse Secure flaw.
In these attacks, the actor modified several legitimate Pulse Secure files on the impacted appliances with a range of webshell functionality. The attacker then ran a number of commands, and the actions were logged in the Unauthenticated Requests Log.
“The cyber threat actor is using exploited devices located on residential IP space — including publicly facing Network Attached Storage (NAS) devices and small home business routers from multiple vendors — to proxy their connection to interact with the webshells they placed on these devices,” CISA warned.
“These devices, which the threat actor is using to proxy the connection, correlate with the country of the victim and allow the actor activity to blend in with normal telework user activity,” they added. “Details about lateral movement and post-exploitation are still unknown at this time.”
Ivanti previously provided mitigation measures and is currently developing a patch for the flaws. CISA urged all entities using the Ivanti Pulse Connect Secure appliances to immediately leverage the provided Integrity Tool.
Developed by Ivanti, the tool enhances the administrator’s ability to verify the PCS image installed on both virtual and hardware appliances and checks for the integrity of the complete file system, as well as any additional or modified files.
Entities should run the integrity tool, first taking a snapshot of the appliance before the launch on virtualized platforms. For physical appliances, administrators will need to consider the consequences of the reboot and tool. Ivanti encourages those clients to reach out for support.
If the tool finds unauthorized or mismatched files, administrators should contact CISA with the findings and Ivanti for assistance in capturing the forensic data. Administrators should also review the unauthenticated web request logs for any evidence of exploitation.
The tool should be run on a daily basis until the mitigations have been implemented, or once the patch has been deployed. Ivanti previously provided remediation steps that will provide adequate protection against the identified activity.
“In the past, intruders were primarily targeting infrastructure devices. While intruders can perform several types of attacks on network devices, malicious actors are now looking for ways to subvert the normal behavior of infrastructure devices,” Ivanti researchers explained.
“In general, these intruders can gain access, typically by exploiting vulnerabilities on the system or possibly manipulate an authorized user via a number of social engineering attacks,” they added.
Administrators can also enable the unauthenticated request option within the appliance to analyze the user access logs. By checking the external Syslog files, the administrator can also determine if there have been any unusual authentication attempts on the PCS appliance.
The advisory also noted the vulnerability can be mitigated on some appliances by disabling the features Windows File Share Browser and Pulse Secure Collabortation.
Further, entities should update to the latest software versions and investigate the device and network for any malicious activities. And administrative access should be confined to just internal or management interfaces, and admin access should be disabled from the external port.
CISA also issued an emergency directive that gives federal agencies until Friday, April 23, to apply the provided mitigation measures. While only a federal requirement, the directive provides invaluable guidance to all entities for remediating the threat.
