Security News > 2021 > April > WARNING: Hackers Exploit Unpatched Pulse Secure 0-Day to Breach Organizations
If Pulse Connect Secure gateway is part of your organization network, you need to be aware of a newly discovered critical zero-day authentication bypass vulnerability that is currently being exploited in the wild and for which there is no patch available yet.
At least two threat actors have been behind a series of intrusions targeting defense, government, and financial organizations in the U.S. and elsewhere by leveraging critical vulnerabilities in Pulse Secure VPN devices to circumvent multi-factor authentication protections and breach enterprise networks.
"A combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, CVE-2021-22893, are responsible for the initial infection vector," cybersecurity firm FireEye said on Tuesday, identifying 12 malware families associated with the exploitation of Pulse Secure VPN appliances.
In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts to enable arbitrary command execution and inject web shells capable of carrying out file operations and running malicious code.
Ivanti, the company behind the Pulse Secure VPN, has released temporary mitigations to address the arbitrary file execution vulnerability, while a fix for the issue is expected to be in place by early May. The Utah-based company acknowledged that the new flaw impacted a "Very limited number of customers," adding it has released a Pulse Connect Secure Integrity Tool for customers to check for signs of compromise.
Pulse Secure customers are recommended to upgrade to PCS Server version 9.1R.11.
News URL
Related news
- Russia-Linked Turla Exploits Pakistani Hackers' Servers to Target Afghan and Indian Entities (source)
- Hackers Target Uyghurs and Tibetans with MOONSHINE Exploit and DarkNimbus Backdoor (source)
- PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug to access sensitive files (source)
- Hackers Exploit Webview2 to Deploy CoinLurker Malware and Evade Security Detection (source)
- Hackers exploit DoS flaw to disable Palo Alto Networks firewalls (source)
- White House links ninth telecom breach to Chinese hackers (source)
- Hackers steal ZAGG customers' credit cards in third-party breach (source)
- Hackers exploit Four-Faith router flaw to open reverse shells (source)
- Hackers exploit KerioControl firewall flaw to steal admin CSRF tokens (source)
- Mitel 0-day, 5-year-old Oracle RCE bug under active exploit (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-04-23 | CVE-2021-22893 | Use After Free vulnerability in Ivanti Connect Secure 9.0/9.1 Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. | 10.0 |