Security News > 2021 > April > CISA orders federal orgs to mitigate Pulse Secure VPN bug by Friday

CISA orders federal orgs to mitigate Pulse Secure VPN bug by Friday
2021-04-21 15:53

The US Cybersecurity and Infrastructure Security Agency has issued a new emergency directive ordering federal agencies to mitigate an actively exploited vulnerability in Pulse Connect Secure VPN appliances on their networks by Friday.

CISA issued the Emergency Directive 21-03 Tuesday after Pulse Secure confirmed a FireEye report saying that at least two state-backed threat groups exploited the bug to breach government and defense organizations in the US and across the globe.

Until the mitigation measures are applied, Federal Civilian Executive Branch departments and agencies were also told to run the Pulse Connect Secure Integrity Tool on all PCS appliances every 24 hours to check for evidence of compromise.

If any signs of malicious activity are found, CISA instructed the agencies to isolate the appliances and reach out to Pulse Secure to collect forensic evidence of the intrusion.

Threat actors tracked as UNC2630 and UNC2717 by cybersecurity firm FireEye took over Pulse Secure appliances using both CVE-2021-22893 and older bugs.

UNC2717 targeted global government agencies between October 2020 and March 2021 using HARDPULSE, QUIETPULSE, AND PULSEJUMP. "They developed malware that enabled them to harvest Active Directory credentials and bypass multifactor authentication on Pulse Secure devices to access victim networks," Charles Carmakal, FireEye Mandiant SVP and CTO, told BleepingComputer.


News URL

https://www.bleepingcomputer.com/news/security/cisa-orders-federal-orgs-to-mitigate-pulse-secure-vpn-bug-by-friday/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-04-23 CVE-2021-22893 Use After Free vulnerability in Ivanti Connect Secure 9.0/9.1
Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway.
network
low complexity
ivanti CWE-416
critical
10.0