Coming Soon...

Q-CERT website is currently under maintenance. We should be back shortly. Thank you for yor patience.

Pulse Connect Secure Exploited in the Wild by Malicious Actors

Issued: 
Wednesday, 21 April, 2021
Last Revision: 
Wednesday, 21 April, 2021
Vendor: 
Ivanti
Product: 
Pulse Connect Secure
Threat Actor: 
Multiple
Severity Level: 
High
Summary: 

Pulse Connect Secure appliances are being actively exploited in the wild by different malicious actors with different malware families. In order to compromise the Pulse Connect Secure appliances, threat actors are using different vulnerabilities in Pulse Connect Secure, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and a new zero-day vulnerability tracked as CVE-2021-22893.

 

Active exploitation of Pulse Connect Secure vulnerabilities has been observed since June 2020 and according to the original disclosed investigation report from FireEye Mandiant, at least two separate actors were involved in different incidents starting in March 2021: UNC2717 and UNC2630. The latter actor harvested credentials and backdoored legitimate system binaries to accomplish the following:

 

  • Backdoor binaries to log credentials and bypass authentication flows (SLOWPULSE).
  • Inject webshells in administrative web pages (RADIALPULSE and PULSECHECK).
  • Make filesystem Read-Write to allow for file modification on a Read-Only filesystem.
  • Persist across reboots and system updates performed by the device administrator.
  • Evade detection by clearing log files (THINBLOOD), deleting utilities and unpatching binaries after use.

 

Recommendation: 

Ivanti has released updates addressing these vulnerabilities, it is recommended to update to the latest software version available from the vendor. We recommend organizations to run the Pulse Secure Connect Integrity Tool on Pulse Connect Secure appliances to detect compromise and malicious activity indicators.

 

FireEye's Mandiant team has also released a GitHub repository containing countermeasures against Pulse Connect Secure exploitation campaigns, which can also be found at the references section. In case any malicious activity is detected, you can contact Q-CERT's Incident Response Team for assistance. 

 

Please note that the Q-CERT Incident Response Team will be available on call through our following Hotline details:

 

  • Q-CERT Hotline Numbers:  (+974) 4493-3408 / (+974) 4499-5444
  • For reporting an incident, please send an email to: incidents@qcert.org
  • Visit our website to report an incident: www.qcert.org
 
References: 
SA44784 - 2021-04: Out-of-Cycle Advisory: Pulse Connect Secure RCE Vulnerability (CVE-2021-22893)
KB44755 - Pulse Connect Secure (PCS) Integrity Assurance
Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
FireEye Mandiant PulseSecure Exploitation Countermeasures
Alert (AA21-110A) Exploitation of Pulse Connect Secure Vulnerabilities