The US Cybersecurity and Infrastructure Security Agency (CISA) has released an emergency directive requiring executive branch agencies to mitigate the risks posed by a zero-day vulnerability in Pulse Connect Secure VPN products, as well as three other recently patched vulnerabilities, by Friday.
Ivanti, the parent company of Pulse Secure, and FireEye, a security firm, warned on Tuesday that at least two nation-state attack groups, one of which had ties to China, were leveraging the vulnerability to threaten a variety of victims, including US government agencies, critical infrastructure providers, and other private sector organisations.
CISA has directed agencies to use the Pulse Connect Secure Integrity Tool to verify the integrity of file systems and take any appropriate action. The tool was created by Ivanti to assist organisations in determining whether malicious behaviour is occurring.
“CISA has determined that this exploitation of Pulse Connect Secure products poses an unacceptable risk to federal civilian executive branch agencies and requires emergency action,” according to the emergency directive. “This determination is based on the current exploitation of these vulnerabilities by threat actors in external network environments, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise.”
Latest Vulnerability
The attacks discovered by FireEye are based on four Pulse Connect Secure flaws, including a zero-day vulnerability identified as CVE-2021-22893 in April.
According to Ivanti, the zero-day bug, which has a CVSS rating of 10 and is classified as “critical,” could enable an unauthenticated, remote attacker to execute arbitrary code through unspecified vectors. All organisations using Pulse Connect Secure should upgrade to version 9.1R.11.4 as soon as possible, according to CISA.
The attackers are also targeting CVE-2019-11510, CVE-2020-8260, and CVE-2020-8243, which are all older bugs. According to Ivanti, patches for these were released in 2019 and 2020.
According to FireEye, attackers might have used older vulnerabilities to gain an initial foothold inside their goals.
The Mandiant team at FireEye described two threat groups, UNC2630 and UNC2717, and claims they are responsible for the attacks leveraging the Pulse Connect Secure flaws. According to the report, UNC2630 is suspected of having links to another threat group that operates on behalf of the Chinese government, though a conclusive link could not be established.