Software programs often have flaws/vulnerabilities, which are often exploited by cybercriminals to gain access to victims’ data. Recently, federal agencies have been ordered to address multiple vulnerabilities affecting Ivanti Pulse Connect Secure (PCS) VPN appliances on their network systems. Pulse Connect Secure VPN provides TLS and mobile VPN solutions to organizations globally.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Homeland Security (DHS) warned about the actively exploited vulnerabilities: CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and CVE-2021-22893.
The Impact
If exploited successfully, the vulnerabilities could allow an attacker, to launch remote code execution to obtain privileged access to install programs, view, alter, or delete data from the compromised system. CISA found that the exploitation of Pulse Connect Secure products poses a serious threat to Federal Civilian Executive Branch agencies.
Deployment of Malicious Web Shells
CISA stated that cybercriminals are exploiting the flaws to deploy malicious web shells on the Pulse Connect Secure appliances to manipulate various functions including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.
Ivanti has recommended mitigation measures and is working on developing a patch for the vulnerabilities. “In the past, intruders were primarily targeting infrastructure devices. While intruders can perform several types of attacks on network devices, malicious actors are now looking for ways to subvert the normal behavior of infrastructure devices. In general, these intruders can gain access, typically by exploiting vulnerabilities on the system or possibly manipulate an authorized user via several social engineering attacks,” Ivanti said.
⚠️ Federal civilian agencies running Pulse Connect Secure products are required to take immediate action. We encourage all organizations to follow similar steps. Read Emergency Directive 21-03: https://t.co/8TlOwi3zHn pic.twitter.com/nZOJF9bswi
— Cybersecurity and Infrastructure Security Agency (@CISAgov) April 21, 2021
Required Actions
By 5 pm EDT on Friday, April 23, 2021, all federal agencies using Ivanti’s services should:
- Enumerate all instances of Pulse Connect Secure virtual and hardware appliances hosted by the agency or a third party on the agency’s behalf.
- On every instance of a Pulse Connect Secure appliance identified in the step above, deploy and run the Pulse Connect Secure Integrity Tool (https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755)
Mitigation Measures
CISA urged organizations using Ivanti Pulse Connect Secure appliances to immediately implement the vulnerability mitigation measures released by the company. These include:
- Reviewing the Pulse Secure Connect Integrity Tool Quick Start Guide.
- Running the Pulse Secure Connect Integrity Tool.
- Reviewing “Unauthenticated Web Requests” log for evidence of exploitation if enabled.
- Changing all passwords associated with accounts passing through the Pulse. Secure environment (including user accounts, service accounts, administrative accounts, and any accounts that could be modified by any account described above, all these accounts should be assumed to be compromised).
- Reviewing logs for any unauthorized authentications originating from the Pulse.
- Connecting Secure appliance IP address or the DHCP lease range of the Pulse.
- Connecting Secure appliance’s VPN lease pool.
- Looking for unauthorized applications and scheduled tasks in their environment.
- Ensuring no new administrators were created, or non-privileged users were added to privileged groups.
- Removing any remote access programs not approved by the organization.
- Carefully inspect scheduled tasks for scripts or executables that may allow a threat actor to connect to an environment.
“The cyber threat actor is using exploited devices located on residential IP space — including publicly facing Network Attached Storage (NAS) devices and small home business routers from multiple vendors — to proxy their connection to interact with the web shells they placed on these devices. These devices, which the threat actor is using to proxy the connection, correlate with the country of the victim and allow the actor activity to blend in with normal telework user activity,” CISA said.
