Hackers exploit Pulse Secure VPN flaws in sophisticated global campaign

Chinese-backed groups have been spying on US and European organisations including those in the defence industry

At least two major hacking groups have deployed a dozen malware families to exploit vulnerabilities in Pulse Connect Secure’s suite of virtual private network (VPN) devices to spy on the US defence sector.

Hackers infiltrated the Pulse Connect Secure (PCS) platform by exploiting CVE-2021-22893, a critical remote code execution flaw rated a maximum of ten on the threat severity scale, in combination with a number of previously discovered vulnerabilities

Ivanti, Pulse Secure’s parent company, has released mitigations for the flaw, as well as a tool to determine if customer’s systems have been compromised, although a patch won’t be available until May 2021.

The purpose of the hack, and the scale of the infiltration, isn’t yet clear, but researchers with FireEye have linked the attack to Chinese state-backed groups. Although the predominant focus of their investigation was infiltration against US defence companies, researchers detected samples across the US and Europe. 

They were first alerted to several intrusions at defence, government and financial organisations around the world earlier this year, based on the exploitation of Pulse Secure VPN devices. They weren’t able to determine how hackers obtained administrative rights to the appliances, although they now suspect Pulse Secure vulnerabilities from 2019 and 2020 were to blame, while other intrusions were due to CVE-2021-22893.

They identified two groups, referred to as UNC2630 and UNC2717, each conducting attacks during this period against US defence agencies and global government agencies respectively. They suspect that at least the former operates on behalf of the Chinese government, although there isn’t enough evidence to make a determination on the second.

FireEye has recommended that all Pulse Secure Connect customers should assess the impact of the available mitigations and apply them if possible. They should also use the most recent version of the Pulse Secure tool to detect whether their systems have been infiltrated. 

Scott Caveza, research engineering manager with Tenable, said that alongside the new flaw, attackers also seem to be leveraging three previously fixed flaws including CVE-2019-11510, CVE-2020-8243 and CVE-2020-8260. The first of the three, which has been routinely exploited in the wild since it was first disclosed in August 2019, was among Tenable’s top five most commonly exploited flaws last year. 

Related Resource

Taking a proactive approach to cyber security

A complete guide to penetration testing

A complete guide to penetration testing - whitepaper from CyberCxDownload now

“Because it is a zero-day and the timetable for the release of a patch is not yet known, CVE-2021-22893 gives attackers a valuable tool to gain entry into a key resource used by many organizations, especially in the wake of the shift to the remote workforce over the last year,” said Caveza. 

“Attackers can utilise this flaw to further compromise the PCS device, implant backdoors and compromise credentials. While Pulse Secure has noted that the zero-day has seen limited use in targeted attacks, it’s just a matter of time before a proof-of-concept becomes publicly available, which we anticipate will lead to widespread exploitation, as we observed with CVE-2019-11510."

Trend Micro research previously found that attackers were heavily targeting VPNs, including exploiting flaws present in Fortinet's VPN and Pulse Connect Secure.

Featured Resources

BCDR buyer's guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Recommended

What is cyber warfare?
Security

What is cyber warfare?

23 Mar 2021
TsuNAME vulnerability could enable DDoS attacks on major DNS servers
distributed denial of service (DDOS)

TsuNAME vulnerability could enable DDoS attacks on major DNS servers

7 May 2021
Security researchers take control of a Tesla via drone
ethical hacking

Security researchers take control of a Tesla via drone

5 May 2021
New report highlights the need for diversity in cyber security recruitment
cyber security

New report highlights the need for diversity in cyber security recruitment

28 Apr 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021