The security flaw tracked as CVE-2021-22893 is being used by at least two APTs likely linked to China, to attack U.S. defense targets among others.

Pulse Secure has rushed a fix for a critical zero-day security vulnerability in its Connect Secure VPN devices, which has been exploited by nation-state actors to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe.

Pulse Secure also patched three other security bugs, two of them also critical RCE vulnerabilities.

zoho webinar promo

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.

The zero-day flaw, tracked as CVE-2021-22893, was first disclosed on April 20 and carries the highest possible CVSS severity score, 10 out of 10. An exploit allows remote code-execution (RCE) and two-factor authentication bypass. The bug is being used in the wild to gain administrator-level access to the appliances, according to research from Pulse Secure’s parent company, Ivanti.

It’s related to multiple use-after-free problems in Pulse Connect Secure before version 9.1R11.4, according to the advisory issued Tuesday, and “allows a remote unauthenticated attacker to execute arbitrary code via license server web services.” It can be exploited without any user interaction.

The activity level has been such that the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning businesses of the ongoing campaigns. These are being tracked by FireEye Mandiant as being carried out by two main advanced persistent threat (APT) clusters with links to China: UNC2630 and UNC2717.

In addition to the exploit for CVE-2021-22893,  the campaigns involve 12 different malware families overall, Mandiant said. The malware is used for authentication-bypass and establishing backdoor access to the VPN devices, and for lateral movement.

“Nation-state hackers will forever pose a threat to businesses around the world,” Andrey Yesyev, director of cybersecurity at Accedian, said via email. “These types of attacks are almost impossible to detect and are increasingly dangerous for any organization’s sensitive data. Once hackers gain initial access to a victim’s network, they’ll move laterally in order to find valuable data. Furthermore, if they’re able to infiltrate an organization’s perimeter, bad actors could establish a connection to a command-and-control server (C2) – allowing them to control compromised systems and steal data from target networks.”

Additional Critical Pulse Connect VPN RCE Bugs

Pulse Secure also rolled out fixes for three other concerning issues. Threatpost has reached out to Pulse Secure to find out whether these bugs are also being actively exploited in the wild.

The other patches are:

  • CVE-2021-22894 (CVSS rating of 9.9): A buffer overflow in Pulse Connect Secure Collaboration Suite before 9.1R11.4 allows remote authenticated users to execute arbitrary code as the root user via maliciously crafted meeting room.
  • CVE-2021-22899 (CVSS rating of 9.9): A command-injection bug in Pulse Connect Secure before 9.1R11.4 allows remote authenticated users to perform RCE via Windows File Resource Profiles.
  • CVE-2021-22900 (CVSS rating of 7.2): Multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 allow an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.

Pulse Secure: A Cyberattacker’s Favorite

Pulse Secure appliances have been in the sights of APTs for months, with ongoing nation-state attacks using the bug tracked as CVE-2019-11510. It allows unauthenticated remote attackers to send a specially crafted URI to carry out arbitrary file-reading – perfect for espionage efforts.

Here’s a rundown of recent activity:

  • April: The FBI warned that a known arbitrary file-read Pulse Secure bug (CVE-2019-11510) was part of five vulnerabilities under attack by the Russia-linked group known as APT29 (a.k.a. Cozy Bear or The Dukes). APT29 is conducting “widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access,” according to the Feds.
  • April: The Department of Homeland Security (DHS) urged companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, because in many cases, attackers have already exploited CVE-2019-11510 to hoover up victims’ credentials – and now are using those credentials to move laterally through organizations, DHS warned.
  • October: CISA said that a federal agency had suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network. Once again, CVE-2019-11510 was in play, used to gain access to employees’ legitimate Microsoft Office 365 log-in credentials and sign into an agency computer remotely.

To stay safe, Accedian’s Yesyev suggested monitoring east-west traffic to detect these types of intrusions.

“And in order to detect C2 communications, it’s important to have visibility into network communication patterns,” he added. “This is yet another instance that proves the benefits of a layered security model. In addition to adopting network-based threat detection and user/endpoint behavior analytics solutions, security must be designed into the DevOps cycle. These technologies and processes help organizations understand communication patterns and destinations to help identify C2 tunnels…allowing teams to identify stealthy lateral movements and ultimately protect data from being stolen.”

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.