The Situation

Several malicious hacker groups have been observed in the wild targeting Government and Financial organisations via the exploitation of multiple vulnerabilities in Pulse Secure VPN products. Twelve malware families have been tied to these APT groups.

Technical Summary

CVE-2021-22893 is an authentication bypass vulnerability utilised by these groups to gain unauthorised access to estates via vulnerable Pulse Secure VPN services. Following up on this, attackers have exploited a combination of Pulse Secure vulnerabilities (CVE-2019-11510, CVE-2020-8243 and CVE-2020-8260) to establish persistence access and compromise within these networks.

Modifications of Legitimate Pulse Secure Components

Attackers can change read-only systems into read-write, allowing them to write and modify files that would usually be locked. Attackers have been seen modifying legitimate Pulse Secure files to introduce backdoors and bypass mechanisms to VPN authentication flows, permitting them to bypass single and multi-factor authentication. These modifications (usually found within “”””) allows attackers to view and record credentials (including usernames and passwords) used by legitimate users. These modifications have been dubbed SLOWPULSE by FireEye. Another modification tracked in the wild, dubbed LOCKPICK, is a file within the OpenSSL library, responsible for securing encrypted communications.

Webshell Backdoors

Attackers have also been observed injecting webshells into internet-facing administrative web pages for these affected Pulse Secure VPN devices. These webshells have been dubbed RADIALPULSE and PULSECHECK and allow attackers persistence access to the estate and the ability to run commands and launch processes.

Persistence That Survives Upgrades

In several related incidents, APT groups have managed to establish persistent access to estates that survive updates/upgrades by administrators. This means that a simple update or patch may mitigate the problem but will not be enough to remediate the situation if an estate has already been compromised.

Avoiding Detection

Novel techniques utilising regular expression syntax have been used to find and delete relevant log files to clear up traces of attackers’ activity from compromised devices. Attackers have also been seen deleting utilities and scripts and unpatching modified files to cover up their activity. This means that an attacker could exploit a Pulse Secure service to gain initial access to the estate and establish separate persistence mechanisms and clear up evidence of their previous exploits, restoring Pulse Secure to its normal state.

How to Know If You May Have Been Affected?

Invanti have released a Pulse Connect Secure Integrity Tool for customers to determine if these vulnerabilities may have impacted them. The tool checks if any files have been modified or added to your PC’s environment.

FireEye has released a breakdown of the MITRE techniques used by APT groups observed in the wild, including methods and techniques used outside of the initial Pulse Secure vulnerabilities. Organisations should assess whether their current monitoring and tooling are capable of detecting and threat hunting for these various indicators of compromise within their estates, such as modification of files, creation of scheduled jobs, clearing of logs, deployment of web shells.

Within the same GitHub repository, FireEye has included hashes and IOCs relating to attacks and incidents observed in the wild, including SNORT rules for network monitoring and YARA rules for agnostic detection of different malware families associated with relevant APT groups, malware families, and vulnerabilities. Additionally, companies should audit VPN access records for connections from unknown or unexpected IPs and anomalous connections from legitimate users (e.g. legitimate UK user Mark Smith is seen connecting from the US).

Organisations should utilise user behavioural analytics platforms (especially those that allow for user behavioural baselining) where possible to identify strange activity from legitimate users (i.e. a user accessing endpoints or servers that they do not usually access). Because in many instances, legitimate credentials are utilised by attackers to move laterally across estates. Users’ strange activity can be an indicator that attackers have managed to pivot from Pulse Secure compromise to a higher degree of access and control within an estate.

Mitigations and Remediation

Whilst a final patch to fix the related vulnerabilities is expected to come at the beginning of May, in the interim, all organisations utilising Pulse Secure Connect are recommended to run the Pulse Connect Secure integrity checker tool against their PC’s Image/Device.

Additionally, organisations worried about potential ramifications of compromise should ensure that credentials for sensitive accounts and high impact users are reset.

Updated 04/05/2021: Yesterday, the Pulse Secure team released a security update to address the issue impacting Pulse Connect Secure appliance. We recommend that customers move quickly to apply the update to ensure they are protected.

Secrutiny is available to advise and discuss any concerns.