A critical zero-day vulnerability (CVE-2021-22893) has recently come to light within the Pulse Connect Secure gateway, affecting organizations utilizing this VPN technology. The vulnerability enables an authentication bypass, which is currently being actively exploited, and there is no available patch at this time.
The primary targets of these intrusions include defense, government, and financial institutions located in the United States and other countries. Evidence suggests that at least two threat actors are leveraging vulnerabilities in Pulse Secure devices to bypass multi-factor authentication systems, thereby gaining unauthorized access to corporate networks.
FireEye, a renowned cybersecurity firm, reported an interplay of existing vulnerabilities along with the newly identified CVE-2021-22893 that serve as the gateway for these attacks. In its analysis, FireEye noted the involvement of various malware families in these exploits, highlighting the sophistication of the campaigns directed at enterprise networks.
The company has designated the ongoing activities under two threat clusters, UNC2630 and UNC2717, linking them to intrusions within U.S. Defense Industrial Base networks and a European organization, respectively. Cybersecurity assessments attribute UNC2630 to state-sponsored actors affiliated with the Chinese government, drawing potential connections to the espionage group APT5 due to historical patterns that echo similar intrusion tactics.
Intrusions believed to be orchestrated by UNC2630 began as early as August 2020, with notable expansions in October of the same year. UNC2717 has been reported to utilize similar vulnerabilities to install custom malware across networks belonging to various government agencies in both Europe and the U.S., suggesting a coordinated exploitation of these weaknesses.
The malware utilized in these operations includes notable families such as SLOWPULSE and HARDPULSE, among others. Two additional strains, STEADYPULSE and LOCKPICK, were also deployed during these attacks but have not yet been associated with a specific group due to insufficient evidence.
By exploiting multiple vulnerabilities in the Pulse Secure VPN products—such as CVE-2019-11510, CVE-2020-8260, and CVE-2021-22893—UNC2630 appears to have extracted valid user credentials, which were then used for lateral movement within compromised environments. This method reflects several tactics from the MITRE ATT&CK framework, including initial access and persistence, by allowing attackers to modify legitimate software to enable command execution and maintain control over targeted systems.
In response to the ongoing threat, Ivanti, the vendor behind Pulse Secure, has introduced temporary mitigations for the critical vulnerabilities. A comprehensive resolution is expected to be released by early May, although the company acknowledges that this vulnerability affects a limited scope of clients. Ivanti has also made available a Pulse Connect Secure Integrity Tool for users to verify their systems for signs of compromise.
Organizations utilizing Pulse Secure solutions are strongly advised to stay informed about the vulnerability and prepare to upgrade to the forthcoming PCS Server version. Heightened vigilance is necessary as these incidents coincide with recent advisories from the U.S. government regarding active exploitations of previously known vulnerabilities by state actors seeking unauthorized access into sensitive networks.
