A newly discovered critical zero-day vulnerability in combination with other known flaws is currently being exploited in the wild and for which there is no patch available. Attackers can bypass authentication and harvest login credentials and use them to move laterally within the compromised environments.
Ivanti, the company operating the affected Pulse Secure VPN devices, says the critical vulnerability will be patched by early May.
At least two threat actors have been targeting defense, government, and financial organizations in the U.S. and other countries and successfully circumventing multi-factor authentication protections in Pulse Secure VPN devices to breach enterprise networks.
“A combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, CVE-2021-22893, are responsible for the initial infection vector,” cybersecurity firm FireEye said on Tuesday.
The security firm identified 12 malware families involved in the exploitation of the flaws in Pulse Secure VPN appliances.
The list of malware families and the hacker groups behind them are:
- SLOWPULSE, ATRIUM, PACEMAKER, RADIALPULSE, THINBLOOD, PULSECHECK, and SLIGHTPULSE (attributed to UNC2630)
- HARDPULSE, QUIETPULSE, and PULSEJUMP (attributed to UNC2717)
- STEADYPULSE and LOCKPICK (unattributed)
According to FireEye, they’ve seen UNC2630 harvest login credentials and use them to move laterally in the affected networks. To maintain persistence, the hackers used modified Pulse Secure binaries and scripts to enable arbitrary command execution and inject web shells to carry out file operations and execute malicious code.
The Utah-based company Ivanti expects to fix the issue by early May. Meanwhile, the company has released temporary mitigations to address the vulnerability CVE-2021-22893, CVSS score: 10.
Ivanti said that the new flaw impacted a “very limited number of customers” and has released a Pulse Connect Secure Integrity Tool that customers can use to check for indications of compromise.