Hackers Exploit Unpatched Pulse Secure 0-Day Flaw

Hackers Exploit Unpatched Pulse Secure 0-Day Flaw

A newly discovered critical zero-day vulnerability in combination with other known flaws is currently being exploited in the wild and for which there is no patch available. Attackers can bypass authentication and harvest login credentials and use them to move laterally within the compromised environments.

Ivanti, the company operating the affected Pulse Secure VPN devices, says the critical vulnerability will be patched by early May.

At least two threat actors have been targeting defense, government, and financial organizations in the U.S. and other countries and successfully circumventing multi-factor authentication protections in Pulse Secure VPN devices to breach enterprise networks.

“A combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, CVE-2021-22893, are responsible for the initial infection vector,” cybersecurity firm FireEye said on Tuesday.

The security firm identified 12 malware families involved in the exploitation of the flaws in Pulse Secure VPN appliances. 

The list of malware families and the hacker groups behind them are:

  • HARDPULSE, QUIETPULSE, and PULSEJUMP (attributed to UNC2717)
  • STEADYPULSE and LOCKPICK (unattributed)

According to FireEye, they’ve seen UNC2630 harvest login credentials and use them to move laterally in the affected networks. To maintain persistence, the hackers used modified Pulse Secure binaries and scripts to enable arbitrary command execution and inject web shells to carry out file operations and execute malicious code.

The Utah-based company Ivanti expects to fix the issue by early May. Meanwhile, the company has released temporary mitigations to address the vulnerability CVE-2021-22893, CVSS score: 10.

Ivanti said that the new flaw impacted a “very limited number of customers” and has released a Pulse Connect Secure Integrity Tool that customers can use to check for indications of compromise.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.