Pulse Connect

Cybersecurity firm FireEye said it is tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices.

The Office of Cybersecurity and Critical Infrastructure (OCCIP) continues to closely monitor the ongoing exploitation of the Pulse Connect Secure (PCS) software. Threat actors are leveraging several vulnerabilities including the previously disclosed CVE-2019-11510, CVE-2020-8260, and CVE-2020-8243, as well as a newly discovered zero-day vulnerability CVE 2021-22893 to place web shells on the Pulse Connect Secure (PCS) appliance for persistence and further access.

Although there are no reported victims in the financial services sector as of now, PCS is heavily used throughout the sector.  OCCIP will continue to work with sector and interagency partners to monitor the exploitation of this vulnerability and will adjust its assessment as more facts become known. To aid in your identification and detection efforts, OCCIP would like to highlight the most relevant open source information on the ongoing Pulse Connect Secure incident. 

OCCIP remains interested in additional information from our stakeholders in the financial services sector on this vulnerability and associated assessments, including any potential indicators of compromise your organization may observe.  If you would like to provide information from your institution’s perspective, please contact us at OCCIP-Coord@treasury.gov, or through the OCCIP hotline at (202) 622-3000.  If you would prefer that your information be shared with OCCIP anonymously, please reach out to the FS-ISAC at sharingops@fsisac.com.

Technical Update for May 4:

  • CISA announced that Ivanti has released a security update to address vulnerabilities affecting Pulse Connect Secure (PCS) software outlined in CVE-2021-22893. The update, PCS version 9.1R11.4, can be downloaded directly from Pulse Secure’s blog post on the compromise. The post was also updated to include a chart detailing which CVEs were used in the compromise and which versions of the PCS software was affected.

Technical Update for May 3:

  • CISA released an updated version of Alert AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities. The updated alert includes a new Detection section providing information on Impossible Travel and Transport Layer Security (TLS) Fingerprinting methods that may prove useful in identifying malicious activity. With Impossible Travel, a single username comes from two IPs that show up in both the authenticated and unauthenticated logs at the same time. The geo-location for the two IP addresses is sufficiently far enough that there is no way one user could travel that distance, hence the term “impossible travel”. With TLS Fingerprinting, malicious actors re-use various JA3 hashes that align with Chrome, Firefox, and other browsers. Please note that the majority of JA3 hashes in connection with the Pulse Secure compromise were not unique to malicious activity and should be corroborated with other data points to ensure the presence of malicious activity. The alert includes a table of JA3 MD5 hashes for reference.

Technical Updates for April 22:

  • CISA is hosting a Partner Call on today (Thursday, April 22) at 4 pm Eastern, addressing the release of Emergency Directive 21-03: Mitigate Pulse Secure Product Vulnerabilities  and Activity Alert AA21-110A.  Although the Emergency Directive only applies to Federal Civilian Executive Branch agencies, CISA strongly encourages state and local governments, critical infrastructure entities, and other private sector organizations who use Pulse Connect Secure products to review the Emergency Directive and the Activity Alert. This call will have representatives from CISA, Invanti, and FireEye to discuss the vulnerability and highlight information we have shared including the Activity Alert and Emergency Directive. 

Date/Time: Thursday, April 22, 2021 (4:00pm EST)
Participant Toll Free Dial in Number: 1-800-857-6546 (passcode 6112112)
International Dial in Number:
  1-212-547-0388 (passcode 6112112)

Technical Updates for April 21:

  • CISA has issued Emergency Directive (ED) 21-03: Mitigate Pulse Connect Secure Product Vulnerabilities, as well as Alert AA21-110A, to address the exploitation of vulnerabilities affecting Pulse Connect Secure (PCS) software. In the documents, CISA notes that an attacker could exploit these vulnerabilities to gain persistent system access and take control of the enterprise network operating the vulnerable PCS device.

    These vulnerabilities are being exploited in the wild. Specifically, ED 21-03 directs federal departments and agencies to run the Pulse Connect Secure Integrity Tool on all instances of PCS virtual and hardware appliances to determine whether any PCS files have been maliciously modified or added. Although ED 21-03 applies to Federal Civilian Executive Branch departments and agencies, CISA strongly recommends state and local governments, the private sector, and others to run the Pulse Connect Secure Integrity Tool and review ED 21-03: for additional mitigation recommendations.
  • Mandiant published a blog post titled Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day, where they examined multiple, related techniques for bypassing single and multifactor authentication on Pulse Secure VPN devices, persisting across upgrades, and maintaining access through webshells. The investigation by Pulse Secure has determined that a combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, CVE-2021-22893, are responsible for the initial infection vector.

    Pulse Secure’s parent company, Ivanti, released mitigations for a vulnerability exploited in relation to these malware families and the Pulse Connect Secure Integrity Tool for their customers to determine if their systems are impacted. A final patch to address the vulnerability will be available in early May 2021. Pulse Secure has been working closely with Mandiant, affected customers, government partners, and other forensic experts to address these issues. There is no indication the identified backdoors were introduced through a supply chain compromise of the company’s network or software deployment process.
Cybersecurity Icon
Apr 22, 2021 | NewsWatch Today Article

VPN compromise illustrates growing malware trend

Apr 13, 2021 | NewsWatch Today Article

Biden to nominate national cyber director and CISA director

Apr 9, 2021 | NewsWatch Today Article

Fed issues ‘synthetic identity fraud’ definition

Mar 19, 2021 | NewsWatch Today Article

CISA issues tool for detecting threat activity