Cybersecurity Threat Advisory 0027-21: Pulse Secure Zero-Day Authentication Bypass
A zero-day vulnerability has been discovered in Pulse Secure VPN appliances and has resulted in the compromise of several U.S governmental organizations and agencies. This vulnerability allows an attacker to bypass multi-factor authentication by modifying legitimate Pulse Secure files, and results in attacker access to a device and the creation of a webshell for persistence. There is currently no patch available to completely prevent exploitation, however Pulse Secure has provided a tool for detecting compromise and the steps required to use it.
Technical Detail & Additional Information
WHAT IS THE THREAT?
A zero-day vulnerability has been reported in Pulse Secure VPN appliances after multiple security agencies reported breaches. The vulnerabilities in question function by modifying legitimate Pulse Secure files to bypass or record authentication credentials. Doing so allows the actor to circumvent multi-factor authentication and log in illegitimately. The actor will then deploy a webshell into legitimate Pule Secure VPN appliance administrative web pages, which aids in persistence. From this point, the attacker has persistent access to the system and can begin making their changes, such as disguising their presence by clearing logs, adding or removing programs, and spreading laterally with newly harvested credentials.
WHY IS IT NOTEWORTHY?
The compromise is to several U.S. government agencies, which is indicative of a high-profile targeted attack and a sophisticated attacker. This is not the first time in recent memory where high-profile organizations and government agencies were breached due to vulnerabilities in a 3rd party application, which parallels the SolarWinds compromise of last year. The nature of this vulnerability is severe enough that CISA (the Cybersecurity and Infrastructure Security Agency) released an emergency directive on Tuesday, April 20th detailing the threat and requiring all federal agencies to take stock of their Pulse Secure Connect products and to apply appropriate updates by Friday, April 23rd.
WHAT IS THE EXPOSURE OR RISK?
An organization that is compromised by this vulnerability is at risk of a threat actor making a host of unauthorized and dangerous changes in their environment. Once the vulnerability is exploited, the attacker will gain persistence via a webshell, disguise their presence by removing relevant logs, and can then begin making their impact. While the exact post-exploitation steps taken by these threat actors have not been made clear, the standard suite of malicious actions such as adding and removing programs or services and spreading laterally are the most likely outcome. Given that U.S. government organizations were targeted the activity could be informational in nature, with the threat actor seeking to exfiltrate confidential information for sale or future use.
WHAT ARE THE RECOMMENDATIONS?
Ivanti, the parent company of Pulse Secure, has released mitigations for compromised organizations to determine if they have been compromised. There has not yet been a patch released to fix this vulnerability, however one is projected for an early May 2021 release. Ivanti has however released a tool called the “Pulse Connect Secure Integrity Tool” which can assess the integrity of the file system on a device and determine if there is a threat. The exact steps required to use this tool are detailed in CISA’s emergency directive at the following link:
You can also find the Pulse Connect Secure Integrity tool at the following link:
If you have any questions, please contact our Security Operations Center.