Zero-Day Vulnerability in Pulse Secure VPN

Threat Advisories

Zero-Day Vulnerability in Pulse Secure VPN

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here.

Zero-day vulnerability of authentication bypass (CVE-2021-22893) has been disclosed in Pulse Secure VPN. This Vulnerability is exploited in the wild by multiple threat actors in combination with the already existing vulnerabilities (CVE-2019-11510, CVE-2020-8243 and CVE-2020-8260). These actors have been targeting defense, government, and financial organizations in United States and other parts of the world. It is suspected that one of these actors is sponsored by China.

The patch of this vulnerability is said to be released in the month of May.

Malwares deployed by threat groups are as follows:

  • UNC2630 – SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK
  • UNC2717 – HARDPULSE, QUIETPULSE, AND PULSEJUMP
  • Unknown – STEADYPULSE and LOCKPICK
  • The Techniques used by the Adversaries  includes:
  • T1003-OS Credential Dumping
  • T1016-System Network Configuration Discovery
  • T1021.001-Remote Desktop Protocol
  • T1027-Obfuscated Files or Information
  • T1036.005-Match Legitimate Name or Location
  • T1048-Exfiltration Over Alternative Protocol
  • T1049-System Network Connections Discovery
  • T1053-Scheduled Task/Job
  • T1057-Process Discovery
  • T1059-Command and Scripting Interpreter
  • T1059.003-Windows Command Shell
  • T1070-Indicator Removal on Host
  • T1070.001-Clear Windows Event Logs
  • T1070.004-File Deletion
  • T1071.001-Web Protocols
  • T1082-System Information Discovery
  • T1098-Account Manipulation
  • T1105-Ingress Tool Transfer
  • T1111-Two-Factor Authentication Interception
  • T1133-External Remote Services
  • T1134.001 Access Token Manipulation: Token Impersonation/Theft
  • T1136-Create Account
  • T1140-Deobfuscate/Decode Files or Information
  • T1190-Exploit Public-Facing Application
  • T1505.003-Web Shell
  • T1518-Software Discovery
  • T1554-Compromise Client Software Binary
  • T1556.004-Network Device Authentication
  • T1592.004 Gather Victim Host Information: Client Configurations
  • T1562 Impair Defenses
  • T1569.002-Service Execution
  • T1574 Hijack Execution Flow T1600-Weaken Encryption

Vulnerability Details

Indicators of Compromise

Patch Links

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784 
References