Security News > 2021 > April > Attackers are exploiting zero-day in Pulse Secure VPNs to breach orgs (CVE-2021-22893)
Attackers have been exploiting several old and one zero-day vulnerability affecting Pulse Connect Secure VPN devices to breach a variety of defense, government, and financial organizations around the world, Mandiant/FireEye has warned on Tuesday.
Phil Richards, the Chief Security Officer at Ivanti - the company that acquired Pulse Secure in late 2020 - said that the zero-day vulnerability "Impacted a very limited number of customers," and that the software updates plugging the flaw will be released in early May. In the meantime, they've offered some workarounds that can mitigate the risk of exploitation of that particular vulnerability, as well as a tool that can help defenders check if their systems have been affected.
"We observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance," FireEye researchers shared.
The attackers have been leveraging three previously known, exploited and already patched vulnerabilities in Pulse Connect Secure VPN devices: CVE-2019-11510, CVE-2020-8243 and CVE-2020-8260.
The vulnerability affects Pulse Connect Secure 9.0R3 and higher.
The U.S. CISA has released an emergency directive ordering federal agencies to enumerate all instances of Pulse Connect Secure virtual and hardware appliances hosted by the agency or a third party on the agency's behalf, and to deploy and run the latest version of the Pulse Connect Secure Integrity Tool on each of those instances.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/Xyj3Fy-SONI/
Related news
- Fog ransomware targets SonicWall VPNs to breach corporate networks (source)
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)
- Helldown ransomware exploits Zyxel VPN flaw to breach networks (source)
- Apple fixes 2 zero-days exploited to breach macOS systems (CVE-2024-44309, CVE-2024-44308) (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-10-28 | CVE-2020-8260 | Unrestricted Upload of File with Dangerous Type vulnerability in Pulsesecure Pulse Secure Desktop Client 9.1 A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction. | 7.2 |
2020-09-30 | CVE-2020-8243 | Code Injection vulnerability in multiple products A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload custom template to perform an arbitrary code execution. | 7.2 |
2019-05-08 | CVE-2019-11510 | Path Traversal vulnerability in Ivanti Connect Secure 8.2/8.3/9.0 In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability . | 10.0 |