Security News > 2021 > April > Attackers are exploiting zero-day in Pulse Secure VPNs to breach orgs (CVE-2021-22893)

Attackers have been exploiting several old and one zero-day vulnerability affecting Pulse Connect Secure VPN devices to breach a variety of defense, government, and financial organizations around the world, Mandiant/FireEye has warned on Tuesday.

Phil Richards, the Chief Security Officer at Ivanti - the company that acquired Pulse Secure in late 2020 - said that the zero-day vulnerability "Impacted a very limited number of customers," and that the software updates plugging the flaw will be released in early May. In the meantime, they've offered some workarounds that can mitigate the risk of exploitation of that particular vulnerability, as well as a tool that can help defenders check if their systems have been affected.

"We observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance," FireEye researchers shared.

The attackers have been leveraging three previously known, exploited and already patched vulnerabilities in Pulse Connect Secure VPN devices: CVE-2019-11510, CVE-2020-8243 and CVE-2020-8260.

The vulnerability affects Pulse Connect Secure 9.0R3 and higher.

The U.S. CISA has released an emergency directive ordering federal agencies to enumerate all instances of Pulse Connect Secure virtual and hardware appliances hosted by the agency or a third party on the agency's behalf, and to deploy and run the latest version of the Pulse Connect Secure Integrity Tool on each of those instances.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/Xyj3Fy-SONI/