Pulse Secure on Monday released a patch for the zero-day vulnerability that hackers used to access the networks of U.S. defense contractors and other government agencies worldwide.
In a blog posted April 20, FireEye said Chinese-based UNC2630 leveraged CVE-2021-22893 to gain access to Pulse Secure VPN equiptment and move laterally. A second threat actor, UNC2717, was also identified exploiting Pulse Secure VPN equipment, but FireEye could not connect them to UNC2630.
Pulse Security said over the past couple of weeks it has worked closely with the Cybersecurity and Infrastructure Security Agency (CISA) as well as FireEye and Stroz Friedberg to investigate and respond quickly to the malicious activity that was identified on its customers’ systems.
FireEye said it observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately led the bad threat actor to use legitimate account credentials to move laterally into defense industrial base (DIB) companies.
Even now that the Pulse Secure vulnerabilities have been closed, customers should expect that the attacker has established a presence and is quietly performing reconnaissance to identify targets and escalate privilege, said Jeff Barker, vice president of marketing at Illusive.
“We can’t afford for the battle to be lost once an attacker exploits a perimeter weakness and establishes a presence,” Barker said. “An ‘assume compromise’ security posture with increased focus on proper cyber hygiene and detection of ‘living off the land’ post-exploitation activities, like lateral movement, is a must to prevent the attacker from achieving their objectives.”
Kevin Dunne, president at Pathlock, said enterprises have invested heavily in VPNs to support remote working pressures that were dramatically accelerated during COVID-19. He said VPN appliances are now ripe targets for attack because they operate as the gatekeeper between the outside world and crown jewel assets hosted behind the firewall.
“Organizations with a strategy focused solely around securing remote access to the network lose all visibility to what bad actors are doing against business-critical applications within the network once they get inside,” Dunne said. “Security teams need to implement tooling that allows them to monitor what’s happening within the network itself, so they can separate suspicious behavior from everyday behavior so they can respond to threats as quickly as possible.”
Gary Kinghorn, marketing director at Tempered Networks said that if hackers can by-pass authentication checks and execute remote code on your gateway, they could quite conceivably run amok across the whole network, which is now virtually unprotected behind the gateway VPN device.
“This is just another example in a long list of vulnerable security devices that when compromised can cause catastrophic damage,” Kinghorn said. “And even if we really end up with bulletproof security services, some overworked admin will mismanage the setup with a password like 'admin123' or 'password.' The point is we can’t have a single point of failure anymore. We have to make security an inherent part of the IP stack and layer it onto the network.”