*Reassuringly dull cyber security e: info@normcyber.comt: +44 (0) 203 855 6215

Pulse Secure declares new SSL VPN Zero Day vulnerability


UPDATED: May 6th 2021

The Vulnerability

Pulse Secure has recently announced that their Pulse Connect Secure SSL VPN contains a new Zero Day vulnerability. 

The vulnerability has been given a CVSv3 score of 10 (maximum score), which highlights its critical risk. It is known as CVE-2021-22893 and has been announced out of the usual vulnerability announcement cycle. It is believed CVE-2021-22893 is being used in conjunction with previously disclosed vulnerabilities.

The vulnerability allows attackers to circumvent multi-factor authentication, gain entry into networks and provides the ability to execute remote file execution on the Pulse Secure Gateway. Well known cyber security company FireEye has identified 12 malware families associated with the exploitation of the Pulse Secure VPN appliances including SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, PULSECHECK, HARDPULSE, QUIETPULSE AND PULSEJUMP.

It has been reported that multiple US and European government organisations, including defence and finance, have been affected by the vulnerability to date.

Who is behind the attacks?

Whilst the overall purpose of the attacks and its full scale are as yet unknown researchers are attributing the attack to Chinese state backed threat actors UNC2630 AND UNC2717. It is believed that UNC2630 primarily targeted the US Defence Industrial Base, which is the industrial assets allocated to development and production of equipment for the armed forces. UNC2717 has been attributed with targeting global government agencies between October 2020 and March 2021.

FireEye has also announced that it suspects that UNC2360 may have connections to APT5, a known Advanced Persistent Threat group that operates on behalf of the Chinese Government based on “strong similarities to historic intrusions dating back to 2014 and 2015” conducted by APT5.

FireEye itself has not been able to definitively connect the two groups but a “trusted third party” has found evidence connecting historic APT5 activity to its recent findings.

It is believed that the attackers are highly skilled and have a deep understanding of the Pulse Secure product.

If this is present in my organisation, what is the solution?

Pulse Secure has released a patch for this vulnerability which can be found here.

It is also advised that organisations running PCS 9.0R3 or before upgrade the server software to 9.1R.11.4.

Ivanti – the parent company of Pulse Secure – has also released the Pulse Connect Secure Integrity Tool to aid organisations assess whether they have been impacted. This can be found here: https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755

If you’d like to know more about how to protect your organisation against Zero Day attacks, visit the Cyber Security as a Service section of our website.

Craig Evans

Written by Craig Evans
A hospitality leader turned cyber professional, mentor and blogger, Craig is part of the SOC team at NormCyber.  He helps to minimise the operational disruption, financial impact and reputational damage caused by cyber attacks by proactively monitoring customers’ technology environments. Craig has broad knowledge of all things cyber and holds both Blue and Red team qualifications.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group