You are here

Pulse Connect Secure (PCS) SSL VPN - Vulnerability Exploitation Activity - Updated July 22, 2021

Pulse Connect Secure (PCS) SSL VPN - Vulnerability Exploitation Activity - Updated July 22, 2021

Created: Thursday, July 22, 2021 - 12:00
Categories:
Cybersecurity

Pulse Connect Secure (PCS) SSL VPN - Vulnerabilities being Actively Exploited - Updated July 22, 2021

Reminder: If your utility uses Ivanti Pulse Connect Secure (PCS) SSL VPN, WaterISAC highly recommends tracking and reviewing current notifications/alerts/advisories for important developments.

CISA has analyzed and released Malware Analysis Reports (MARs) regarding 13 malware samples related to threat actor techniques, tactics, and procedures (TTPs) and indicators of compromise (IOCs) for exploited Pulse Connect Secure devices. Most of the malicious files are modified versions of Pulse Secure system applications, but also include webshells, trojans, credential harvesters, and utilities.

While MARs are best suited for cyber mature utilities with monitoring capabilities, any organization using PCS would benefit from reviewing the reports, even if you are unable to ingest into any detection platform. For utilities with monitoring capabilities, if you do not already have the list, a downloadable list of IOCs can be obtained at AA21-110A.stix. Member utilities subscribed to Perch have detection coverage available through the Perch platform. Read more at SecurityWeek, review the MARs at CISA, and follow the Exploitation of Pulse Connect Secure Vulnerabilities (AA21-110a), also at CISA.

Situation Update - June 7, 2021

Active Exploitation of Ivanti Pulse Connect Secure (PCS) SSL VPN Against Multiple Critical Infrastructure Entities

ATTENTION system and network administrators

Specific Actions Recommended:

  • If your utility uses Ivanti Pulse Connect Secure (PCS) SSL VPN, WaterISAC highly recommends immediately reviewing current notifications/alerts/advisories to determine vulnerability exposure and address accordingly.
  • Utilities using Ivanti Pulse Connect Secure (PCS) SSL VPN should run the Pulse Secure Integrity Checker (ICT) to help determine if your Pulse Secure Connect device has been compromised.
  • The Integrity Checker Tool (ICT) helps system owners understand if their Pulse Secure Connect device has been compromised. While the tool is accurate, there are several nuances to its effective use.
    • The ICT detects evidence of adversary cleanup only on the current, running version of PCS.
    • During the upgrade process, the active version becomes a rollback partition.
    • Only one rollback partition exists on a device, as the rollback partition is replaced on each update.
    • It may be necessary to roll back the current PCS version to have a valid run of the ICT.
    • Therefore, if an entity has updated their PCS device without running the correct version of the ICT, anomalous activity will not be detected.
    • Only one rollback partition exists on a device, as the rollback partition is replaced on each update.
      • Examples:
        • Therefore, if you were version A on 3/31, the threat actor cleaned up on 4/22, then you updated to the current version B on 5/5, you could roll back to A and see the activity.
        • However, if you were version A on 3/31, the threat actor cleaned up on 4/22, then you updated to the current version B on 5/5, and version C on 6/11, the rollback partition would now be Version B. Since the threat actor was never on version B, the ICT would never identify any activity.
  • It is important that asset owners and system administrators verify version compatibility before running the ICT. Failure to validate compatibility could result in false negative findings even when a compromise exists.
  • To validate ICT compatibility with supported PCS appliances, visit Ivanti KB44755 - Pulse Connect Secure (PCS) Integrity Assurance

If your utility discovers a compromised system, CISA emphasizes close monitoring of the network, including reviewing the CISA Activity Alert AA21-110A for tactics, techniques, and procedures (TTPs) regarding actor cleanup, how to hunt for lateral movement from this initial activity, and sharing the information with CISA at https://us-cert.cisa.gov/forms/report.

For further reference, system/network administrators and analysts are encouraged to review:

Situation Update - May 28, 2021

 

The Cybersecurity and Infrastructure Security Agency (CISA) has updated Alert AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities to include new threat actor techniques, tactics, and procedures (TTPs), indicators of compromise (IOCs), and updated mitigations.

 

In addition to the updated alert, CISA encourages users and administrators to review:

Situation Update - April 30, 2021

The Cybersecurity and Infrastructure Security Agency (CISA) has updated Alert AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities, originally released April 20. This update adds a new Detection section providing information on Impossible Travel and Transport Layer Security (TLS) Fingerprinting that may be useful in identifying malicious activity.

Original Posting - April 21, 2021

What you need to know
Is the disclosed zero day vulnerability patched? NO; the vendor is developing a patch that is expected to be released early May.

Are workarounds available? YES, including running the Pulse Connect Secure Integrity Tool.

Is this vulnerability being actively exploited? YES, along with two previously disclosed vulnerabilities.

Additional Information
Due to ongoing exploitation of Ivanti Pulse Connect Secure (PCS) SSL VPN vulnerabilities, CISA has issued Emergency Directive (ED) 21-03, and Alert AA21-110A. Exploitation of these vulnerabilities could allow an attacker to gain persistent system access and take control of the enterprise network operating the vulnerable PCS device.

Specifically, ED 21-03 directs federal departments and agencies to run the Pulse Connect Secure Integrity Tool on all instances of PCS virtual and hardware appliances to determine whether any PCS files have been maliciously modified or added.

According to FireEye, the investigation by Pulse Secure has determined that the exploitation of a combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021 (CVE-2021-22893) are responsible for the initial infection vector.

Recommended Actions
CISA strongly encourages organizations using Ivanti Pulse Connect Secure appliances to follow the guidance in Alert AA21-110A, which includes:

As usual, even though Emergency Directives apply to Federal Civilian Executive Branch departments and agencies, CISA strongly recommends state and local governments, the private sector, and others to follow recommended guidance including running the Pulse Connect Secure Integrity Tool and review ED 21-03: Mitigate Pulse Connect Secure Product Vulnerabilities for additional mitigation recommendations. 

For additional information regarding this ongoing exploitation, see the FireEye blog post: Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day and the CERT Coordination Center (CERT/CC) Vulnerability Note VU#213092. Access the ED, AA, and other recommended guidance at CISA.

Additional Resources