Threat actors are exploiting vulnerabilities in Pulse Connect Secure products. Here's what you need to know.
August 6, 2021 Update:
U.S. CISA has released the following alert regarding a new patch for Ivanti Pulse Secure Connect, which was the subject of Cyber Activity Alert in April 2021. While it's unclear as yet if these vulnerabilities are being actively targeted, any system that is not fully patched to (PCS) 9.1R12 or later will be vulnerable.
U.S. CISA Message: Pulse Secure has released Pulse Secure Connect system software version 9.1R12 to address multiple vulnerabilities an attacker could exploit to take control of an affected system.
CISA encourages users and administrators to review Pulse Secure’s Security Advisory SA44858 and apply the necessary update.
Original post - April 2021
Threat actors are exploiting four vulnerabilities in Pulse Connect Secure products, widely used for virtual private network (VPN) remote access. Ivanti Pulse Connect Secure customers should take immediate action to determine if they are impacted.
On April 20, 2021, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) issued a Cyber Activity Alert (AA21-110A) and an Emergency Directive (21-03) regarding vulnerabilities in certain Ivanti Pulse Connect Secure products, which are widely used for virtual private network (VPN) remote access. To gain initial access, the threat actor is leveraging multiple vulnerabilities, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and the newly disclosed CVE-2021-22893. The threat actor is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence. The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.
Quick facts: what you need to know now
- A patch is now available here.
- The affected products include:
- Pulse Connect Secure prior to 9.1R.11.4
- Pulse Policy Secure (PPS) 9.1Rx or below
- Pulse Secure Desktop Client (PDC) 9.1Rx or below
- Pulse Secure has identified four issues which are described in:
- Failure to investigate properly and update your organization’s software could result in a threat actor being able to gain access and persistence to return to your systems, bypass MFA, and ultimately launch an attack such as ransomware within your network
- There is a tool to check for malicious activity on PCS available here.
Next Steps for Ivanti Pulse Connect Secure Customers
If your organization uses Ivanti Pulse Connect Secure products, you should:
- Itemize all instances of Pulse Connect Secure virtual and hardware appliances hosted by your organization or on your organization's behalf.
- Upgrade the Pulse Connect Secure server software version to the 9.1R.11.4 (patch available here!).
- Immediately run Ivanti’s Pulse Secure Connect Integrity Tool on every instance of a Pulse Connect Secure appliance identified in Step 1 to determine whether your VPN has been compromised.
- Immediately isolate the appliance from the network while keeping the power on; and
- notify Corvus of a potential cyber claim via firstname.lastname@example.org. We will then connect you to counsel and a forensics firm to ensure your organization properly investigates, mitigates, and responds to the threat.If the tool detects a compromise:
- Affected appliances should only be returned into production after forensic analysis has been completed and remediation requirements have been met.Review CISA’s Cyber Activity Alert (AA21-110A) and the Pulse Secure blog, for more detailed steps and guidance.