Pulse Secure declares new SSL VPN Zero Day vulnerability

norm clock

UPDATED: May 6th 2021

The Vulnerability

Pulse Secure has recently announced that their Pulse Connect Secure SSL VPN contains a new Zero Day vulnerability. 

The vulnerability has been given a CVSv3 score of 10 (maximum score), which highlights its critical risk. It is known as CVE-2021-22893 and has been announced out of the usual vulnerability announcement cycle. It is believed CVE-2021-22893 is being used in conjunction with previously disclosed vulnerabilities.

The vulnerability allows attackers to circumvent multi-factor authentication, gain entry into networks and provides the ability to execute remote file execution on the Pulse Secure Gateway. Well known cyber security company FireEye has identified 12 malware families associated with the exploitation of the Pulse Secure VPN appliances including SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, PULSECHECK, HARDPULSE, QUIETPULSE AND PULSEJUMP.

It has been reported that multiple US and European government organisations, including defence and finance, have been affected by the vulnerability to date.

Who is behind the attacks?

Whilst the overall purpose of the attacks and its full scale are as yet unknown researchers are attributing the attack to Chinese state backed threat actors UNC2630 AND UNC2717. It is believed that UNC2630 primarily targeted the US Defence Industrial Base, which is the industrial assets allocated to development and production of equipment for the armed forces. UNC2717 has been attributed with targeting global government agencies between October 2020 and March 2021.

FireEye has also announced that it suspects that UNC2360 may have connections to APT5, a known Advanced Persistent Threat group that operates on behalf of the Chinese Government based on “strong similarities to historic intrusions dating back to 2014 and 2015” conducted by APT5.

FireEye itself has not been able to definitively connect the two groups but a “trusted third party” has found evidence connecting historic APT5 activity to its recent findings.

It is believed that the attackers are highly skilled and have a deep understanding of the Pulse Secure product.

If this is present in my organisation, what is the solution?

Pulse Secure has released a patch for this vulnerability which should be implemented as soon as possible.

It is also advised that organisations running PCS 9.0R3 or before upgrade the server software to 9.1R.11.4.

Ivanti – the parent company of Pulse Secure – has also released the Pulse Connect Secure Integrity Tool to aid organisations assess whether they have been impacted. This can be found here.

If you’d like to know more about how to protect your organisation against Zero Day attacks, visit the Cyber Security as a Service section of our website.

Craig evans

Written by Craig Evans
A hospitality leader turned cyber professional, mentor and blogger, Craig is part of the SOC team at NormCyber.  He helps to minimise the operational disruption, financial impact and reputational damage caused by cyber attacks by proactively monitoring customers’ technology environments. Craig has broad knowledge of all things cyber and holds both Blue and Red team qualifications.