HC3 TLP White Sector Alert Pulse Secure Vulnerabilities Keep on Going August 27, 2021

Since April 2021 there have been several vulnerabilities in Pulse Secure VPN technology which are being actively compromised. These allow for a variety of malicious activity, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching, all of which can facilitate further attacks on an information infrastructure. The Department of Homeland Security has observed threat actors creating scheduled tasks and remote access trojans to establish persistence, exfiltrate files, and execute ransomware on the victim’s network environment including healthcare organizations. It is imperative that the corresponding patches are tested and implemented to prevent healthcare organizations from being compromised.

Impact to HPH Sector:

These vulnerabilities pose a serious threat to HPH as they allow the attacker or threat actor to maintain remote command and control of the target system. In addition to this, the attacker could gain lateral access to a network allowing the harvesting of administrative credentials which would allow the threat actor to have access to all sensitive data. They have been leveraged by threat actors to target the healthcare sector and public health organizations. As indicated in HC3’s July alert, this vulnerability continues to impact organizations through the Ivanti Pulse Connect Secure products.

Report /Analysis:

Pulse Secure revealed prior vulnerabilities along with previously unknown CVE-2021-22893, also discovered in April 2021, which were the cause of the initial infection vector. Ivanti, Pulse Secure’s parent company released mitigations for a vulnerability exploited in relation to 12 malware families associated with the exploitation of Pulse Secure VPN devices and the Pulse Connect Secure Integrity Tool for customers to determine if their systems were compromised.

In May 2021, the company released a final patch to address the vulnerability. Pulse Secure worked with Mandiant, forensic experts, affected customers, and government partners to address these issues. It is worth noting, during this investigation, there was no indication that backdoors were introduced through a supply chain compromise of the company’s network or software.

The Department of Homeland Security has observed threat actors successfully installing ransomware at hospitals, creating scheduled tasks and remote access trojans to establish persistence, amassing files for exfiltration, and executing ransomware on the victim’s network environment. To reduce the possibility of detection, threat actors used the Tor infrastructure and virtual private servers. As stated previously, we do not know the threat actors are targeting critical infrastructure, which leaves the HPH as a potential target; therefore, we recommend you remain informed as new information on these vulnerabilities are reported.

On August 24, 2021, the Cybersecurity & Infrastructure Security Agency (CISA) released their analysis of five malware samples that are connected to exploited Pulse Secure devices. CISA encourages both users and administrators to review the following five malware analysis reports (MARs) for threat actor tactics, techniques, and procedures (TTPs) along with indicators of compromise (IOCs). For additional information, review CISA’s updated Alert (AA21-110A): Exploitation of Pulse Connect Secure Vulnerabilities .

View the entire report below.