Pulse Secure VPN appliances are under attack. Two known vulnerabilities already have patches, while a novel vulnerability has a workaround until a patch is released.
One of the biggest security tools in an organizations toolbox is a Virtual Private Network (VPN). Businesses that did not have remote workers prior to the pandemic quickly learned the value of a good VPN. Those that did have remote workers learned even more about how a VPN can protect the business and how to make it available to each employee. As with all things in life, though, nothing is perfect. We’ve talked about Pulse Secure VPN in the past, it’s used by many businesses in the healthcare industry and it has known vulnerabilities. Those vulnerabilities, along with a new one, are causing major problems for the VPN provider.
“Mandiant is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices,” researchers from Mandiant, the MDR and incident response arm of security vendor FireEye, said in a newly released report. “These families are related to the circumvention of authentication and backdoor access to these devices, but they are not necessarily related to each other and have been observed in separate investigations. It is likely that multiple actors are responsible for the creation and deployment of these various code families.”
The Mandiant team continued finding malicious activity they traced back to the Pulse Secure VPN, but they couldn’t figure out how the hackers gained administrating credentials. Pulse Secure (PCS) parent company, Ivanti, conducted an investigation and determined the threat actors were using the two known vulnerabilities, plus a zero-day vulnerability now tracked as CVE-2021-22893. The flaw, a critical vulnerability with a CVSS score of 10, allows threat actors to circumvent authentication on the VPN and execute arbitrary code.
Patches for the first two vulnerabilities were released last year, the new patch will be released in the next PCS release. Version 9.1R.11.4 has not been released yet, so the company provided a workaround. A .xml configuration file was created that can be imported into the appliance. This will disable the Windows File Share Browser and Pulse Secure Collaboration features, which blocks the attack vector. It’s a temporary fix until the patch is released, which will hopefully be sooner than later since the workaround has some limitations.
In addition to the workaround, Pulse Secure released a tool that helps admins to check the integrity of the file system of their PCS appliances. This will detect any file modifications or additional malicious files deployed by the hackers.
When it comes to the new flaw that needs to be patched, Pulse Security is doing all of the right things in response to an incident. They’ve conducted an investigation and know what the problem is, they’ve notified users that there is a problem, they’re working on a patch to release and in the meantime have created a workaround for businesses. This is an instance where the company executed a proper incident response, and despite being the target of malicious activity, they are taking steps to ensure the safety and security of their customers.
Any user of a PCS appliance should do a full review and utilize the tool created by the company to ensure nothing nefarious is happening in their systems. Pulse Security can only do so much, after that, business leaders must do their part as well. Apply the patches, check your systems, make sure your business isn’t compromised. And, as always, consult an expert to help with complicated processes you don’t fully understand. Security is more than just following steps, so it’s best to trust those things to people who eat, breathe and sleep security.