Utilities using the following SSL VPN products within their environment are strongly encouraged to apply all available patches: Pulse Connect Secure SSL VPN, Fortinet Fortigate SSL VPN, and Citrix Application Delivery Controller (ADC), Gateway and SD-WAN WANOP.
There is on-going, active exploitation of these unpatched devices by multiple threat groups – including advanced persistent threat (APT) actors and ransomware groups – taking advantage of organizations who perpetually postpone patching. Many of the vulnerabilities being exploited had patches developed prior to 2020, yet many devices remain unpatched. In recent days/weeks, CISA has issued advisories and Malware Analysis Reports (MARs) specifically on Pulse Connect Secure. Likewise, WaterISAC has been maintaining a page in the Resource Center on PCS Vulnerability Exploitation Activity and also highlighted this ongoing activity in Some Vulnerabilities Don’t Go Out of Style. Exploitation of unpatched SSL VPN devices has been observed across multiple critical infrastructure sectors, including water and wastewater. It is important that all of these devices used for remote access be secured (patched) to reduce the risk of compromise. Members are encouraged to review available advisories and malware analysis reports and patch and monitor for exploitation as soon as practical. Tenable has an excellent review and analysis of this ongoing activity. Members are also encouraged to forward this information to system administrators and security analysts as appropriate. Read more at Tenable.
Note: The Malware Analysis Reports (MARs) are best for automated indicator sharing and security analysts that can ingest and add data to monitoring/detection tools to alert on indicators of compromise (IoCs). These MARs are part of ongoing exploitation against PCS devices and include data on webshells/backdoors, credential harvesters, and trojans. Member subscribers to Perch will automatically have the indicators added to the Perch platform for detection. See SecurityWeek for a succinct write up on the PCS MARs.