The Cybersecurity and Infrastructure Security Agency (CISA) warned attackers continue to exploit Pulse Connect Secure vulnerabilities. The alert was issued after CISA confirmed malicious activity on public and private entity networks on vulnerable Pulse Connect Secure appliances. Additional detection methods were also added on April 30.
Since March 31, 2021, CISA assisted multiple entities whose vulnerable Pulse Connect Secure products had been exploited by a cyber threat actor. These entities confirmed the malicious activity after running the Pulse Secure Connect Integrity Tool.
“To gain initial access, the threat actor is leveraging multiple vulnerabilities, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and the newly disclosed CVE-2021-22893. The threat actor is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence. The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching,” CISA warned in the alert.
Ivanti recently issued an advisory and workaround for a Critical vulnerability CVE-2021-22893 in Pulse Connect Secure (PCS). More specifically, an authentication by-pass vulnerability can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway.
Pulse Secure noted this vulnerability also carries the maximum CVSS score of 10.0 and “poses a significant risk to your deployment.” The company also noted that the solution for these vulnerabilities is to upgrade the Pulse Connect Secure server software version to the 9.1R.11.4.
Moreover, The Ivanti Product Security Incident Response Team (PSIRT) also introduced a new tool to enhance organizations’ “ability to ensure the full integrity of your Pulse Connect Secure software.”
Readers may also remember CVE-2019-11510 was one of the top four CVE’s Chinese state-sponsored cyber threat actors targeted against U.S. government agencies last year.
On April 30, CISA added new detection techniques, ‘Impossible Travel’ and ‘Transport Layer Security (TLS) Fingerprinting’, to help identify malicious activity against Pulse Connect Secure devices.
In the case of Impossible Travel, bad actors masquerade as legitimate users from different locations that likely reveal illegitimate connections.
“CISA has noted IPs associated with malicious webshell interaction from a threat actor—associated with a single username—in both the authenticated and the unauthenticated logs at the same time,” CISA noted in the updated advisory.
Thus, defenders were able to trace the attacker back to a single IP address.
Transport Layer Security (TLS) Fingerprinting
Defenders can also use another method called TLS fingerprinting. In this case, bad actors may re-use various JA3 hashes including those that align with Chrome, Firefox, and others.
CISA further cautioned using TLS fingerprinting on its own, however, since many JA3 hashes observed in Pulse Connect Secure exploitation activity could also be related to benign activity. In other words, the hashes may not be unique.
Instead, defender should add other data points to TLS fingerprinting. For example, an attacker will often exclude the use of Server Name Indication (SNI) extensions more commonly used in DNS hostname lookups and instead browse directly to IP addresses.
Updated May 1, 2021: This article was updated to include new CISA detection techniques added on April 30.