Skip to main content
close search
site logo
Dive Brief

Attackers leverage Pulse Secure VPNs to target defense, financial industries

Published April 22, 2021
David Jones's headshot
Reporter
Illustration of locks layered above circuity.
Traitov/iStock/Getty via Getty Images

Dive Brief:

  • Advanced persistent threat actors are targeting zero-day vulnerabilities in Pulse Secure VPN devices aimed at accessing the U.S. defense industry, financial organizations and a number of overseas targets, including Europe, according to researchers at Mandiant. 

  • Researchers at Mandiant are tracking 12 malware families linked to the attacks. APT actors harvest legitimate credentials in order to gain access and move laterally across environments. 

  • The Cybersecurity and Infrastructure Security Agency issued an emergency directive earlier this week warning federal agencies to mitigate exposure to Pulse Connect Secure vulnerabilities, saying they posed an "unacceptable risk."

Dive Insight:

The Pulse Secure attacks date back to vulnerabilities originally discovered in 2019, and mark the latest in a series of threat activities linked to the VPN vulnerabilities. 

"In many cases victims were compromised using 2019 vulnerabilities on unpatched systems, however the attackers were capable of compromising fully patched systems and did so at a limited number of high value targets," said Stephen Eckels, reverse engineer, FLARE at Mandiant, via email.

Officials at Ivanti, the parent company of Pulse Secure, confirmed they have been working with customers on the latest series of attacks.

"The Pulse Connect Secure team is in contact with a limited number of customers who have experienced evidence of exploit behavior on their PCS appliances," company officials said in a statement. "The PCS team has provided remediation guidance to these customers directly."

CISA issued an urgent warning to federal agencies and others to take steps to mitigate the risk of attacks by April 23. 

"We're aware of 24 agencies running the Pulse Connect Secure devices, but it's too early to determine conclusively how many have actually had the vulnerability exploited," a spokesperson for CISA said. 

CISA said the threat activity is linked to three former and one newly discovered vulnerability CVE-2019-11510, CVE-2020-8260, CVE-2020-8243 and CVE-2021-22893. The threat actor is installing webshells onto Pulse Secure devices in order to bypass authentication, multifactor authentication, password logging and persistence through patching. 

All organizations running Pulse Secure devices should follow steps in the CISA Activity Alert and Emergency Directive in order to identify potential intrusions and also run the Integrity Checker, a spokesperson for CISA said. 

After running the tool, users should report any hash mismatches or newly detected files to the vendor and to CISA in order to help get a better understanding of how widespread the private and public sectors are exposed to this, the spokesperson added. 

The Department of Defense is also aware of the vulnerabilities, a Pentagon spokesperson confirmed. "We are assessing the potential impact to the Defense Information Network and taking the appropriate steps to protect the data, network and systems."

Earlier this month, the FBI and CISA issued a warning about APT groups targeting Fortinet VPN devices. 

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell