Security News > 2021 > April > WARNING: Hackers Exploit Unpatched Pulse Secure 0-Day to Breach Organizations
If Pulse Connect Secure gateway is part of your organization network, you need to be aware of a newly discovered critical zero-day authentication bypass vulnerability that is currently being exploited in the wild and for which there is no patch available yet.
At least two threat actors have been behind a series of intrusions targeting defense, government, and financial organizations in the U.S. and elsewhere by leveraging critical vulnerabilities in Pulse Secure VPN devices to circumvent multi-factor authentication protections and breach enterprise networks.
"A combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, CVE-2021-22893, are responsible for the initial infection vector," cybersecurity firm FireEye said on Tuesday, identifying 12 malware families associated with the exploitation of Pulse Secure VPN appliances.
In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts to enable arbitrary command execution and inject web shells capable of carrying out file operations and running malicious code.
Ivanti, the company behind the Pulse Secure VPN, has released temporary mitigations to address the arbitrary file execution vulnerability, while a fix for the issue is expected to be in place by early May. The Utah-based company acknowledged that the new flaw impacted a "Very limited number of customers," adding it has released a Pulse Connect Secure Integrity Tool for customers to check for signs of compromise.
Pulse Secure customers are recommended to upgrade to PCS Server version 9.1R.11.
News URL
Related news
- Helsinki suffers data breach after hackers exploit unpatched flaw (source)
- Hackers exploit LiteSpeed Cache flaw to create WordPress admins (source)
- North Korean Hackers Exploit Facebook Messenger in Targeted Malware Campaign (source)
- Russian hackers use new Lunar malware to breach a European govt's agencies (source)
- Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking (source)
- Hackers target Check Point VPNs to breach enterprise networks (source)
- Hackers Exploit Legitimate Packer Software to Spread Malware Undetected (source)
- Hackers exploit 2018 ThinkPHP flaws to install ‘Dama’ web shells (source)
- TellYouThePass ransomware exploits recent PHP RCE flaw to breach servers (source)
- China-Backed Hackers Exploit Fortinet Flaw, Infecting 20,000 Systems Globally (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-04-23 | CVE-2021-22893 | Use After Free vulnerability in Ivanti Connect Secure 9.0/9.1 Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. | 10.0 |