The parent company behind Pulse Secure known as Ivanti published a permanent fix to its vulnerability in the Pulse VPN products that managed to be exploited to target U.S. government agencies alongside critical infrastructure providers as well as other companies throughout the several weeks.
This was known as a zero-day flaw, which was tracked as CVE-2021-22893, and is one of four vulnerabilities at the least in the Pulse Connect Secure VPN products which have been exploited by a variety of different groups throughout time, including one with connections to China, earlier throughout the year. Specifically, in April, the security firm known as FireEye managed to publish a report about the attacks as well as details about the zero-day bug which was exploited.
Ivanti previously published a mitigation technique which helped bypass this vulnerability, and the patch itself which was issued on Monday is a permanent fix for the bug itself, according to the company.
The Cybersecurity and Infrastructure Security Agency as well as Ivanti are urging organizations which use Pulse Connect Secure VPN products to immediately apply the patch. The company itself has previously published the Patches for the other exploited vulnerabilities.
Phil Richards, which serves the role as the chief security officer at Ivanti had this to say:
As sophisticated threat actors continue their attacks on U.S. businesses and government agencies, we will continue to work with our customers, the broader security industry, law enforcement and government agencies to mitigate these threats. Company-wide, we are making significant investments to enhance our overall cybersecurity posture, including a more broad implementation of secure application development standards.
When it comes to the CISA investigation, on Friday, a senior CISA official said that the agency was investigating if the five executive branch agencies had possibly been breached by attackers which were exploiting one or more of the vulnerabilities found in the Pulse Connect Secure VPN appliances.
— Cyber guy (@_Virusman_) May 4, 2021
Throughout last month, CISA ordered 26 federal agencies which use Pulse Connect VPN products to actually run the Pulse Connect Secure Integrity Tool and check the integrity of the file systems within the networks while also reporting back the results to the agency.
These produced results showcased five networks with traces of suspicious or malicious activity, and further analysis is required.
The FireEye Mandiant team identified two threat groups, and they were labeled as UNC2630 and UNC2717, where the belief is that they are behind the attacks which exploited the Pulse Connect Secure flaws.
Regarding the fix itself, in the Monday alert, Ivanti urged customers who used Pulse Connect Secure 9.0RX and 9.1RX to upgrade to Pulse Connect Secure 9.1R11.4, and this update fixed the vulnerability discussed.
Customers are also advised to run the Integrity Tool in order to check for additional malicious activities within the network.
If this zero-day flaw was exploited, it could potentially allow an authenticated, remote attacker to execute arbitrary code through unspecified vectors.