Hackers are targeting flaws in these VPN devices now. Here's what you need to do

A new vulnerability is being used to target customer devices, along with a number of older flaws still being exploited.
Written by Liam Tung, Contributing Writer

Hackers are actively exploiting a newly discovered flaw in Pulse Connect Secure VPN products, alongside some older flaws that some customers have yet to patch. 

Cybersecurity firm FireEye reported it has been investigating multiple incidents of compromises of the devices that use a bug tracked as CVE-2021-22893 that was discovered in April. It's an significant vulnerability with a severity score of 10 out of a possible 10 and the malware being deployed is designed to bypass two-factor authentication. 

The vulnerability includes an authentication bypass that can "allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway," according to Pulse Secure's advisory

SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)

FireEye's incident response unit Mandiant says it is tracking 12 malware families linked to attacks on Pulse Secure VPN appliances that use this bug in combination with older bugs affecting the software. 

FireEye has attributed the activity to a group it labels UNC2630, a suspected China state-sponsored hacking group that has allegedly targeted the US Defense industry and European organizations. 

US-based IT asset management firm Ivanti has released the Pulse Connect Secure Integrity Tool and other mitigations for the bug that's under attack. 

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA)  said the attacks on this VPN product began in June 2020: other bugs the attackers have used include CVE-2019-11510, CVE-2020-8260, and CVE-2020-8243, which allow them to install web shells to gain persistence on the device. 

As ZDNet reported last August, attackers have been scanning the internet for Pulse Secure VPN servers with these flaws since June because the VPNs are used by staff to remotely access internal apps. 

"The threat actor is using this access to place web shells on the Pulse Connect Secure appliance for further access and persistence. The known web shells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching," CISA warned in its alert

According to FireEye, the threat actor was snatching credentials from Pulse Secure VPN login processes, allowing them to use legitimate credentials to move within a compromised network. 

Carnegie Mellon University's US CERT Coordination Center has also issued an alert over the attacks and, until a patch is released, it recommends disabling the features Windows File Share Browser and Pulse Secure Collaboration on Pulse Connect Secure (PCS) gateway instances. 

"An unspecified vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable Pulse Connect Secure gateway system. Products affected by this vulnerability are PCS version 9.0R3 and higher," it noted. 

SEE: Best VPN 2021: Expert reviews of the best VPN services

FireEye is tracking two groups using these vulnerabilities and a variety of web shells that share common traits. It's tagged the other group UNC2717, but says it cannot verifiably connect that the two groups' activities are connected. 

"Due to a lack of context and forensic evidence at this time, Mandiant cannot associate all the code families described in this report to UNC2630 or UNC2717," said FireEye. 

"We also note the possibility that one or more related groups is responsible for the development and dissemination of these different tools across loosely connected [Advanced Persistent Threat] actors. It is likely that additional groups beyond UNC2630 and UNC2717 have adopted one or more of these tools."

Editorial standards