Advanced persistent threat actors are targeting zero-day vulnerabilities in Pulse Secure VPN devices aimed at accessing the U.S. defense industry, financial organizations and a number of overseas targets, including Europe, according to researchers at Mandiant.
Researchers at Mandiant are tracking 12 malware families linked to the attacks. APT actors harvest legitimate credentials in order to gain access and move laterally across environments.
The Cybersecurity and Infrastructure Security Agency issued an emergency directive earlier this week warning federal agencies to mitigate exposure to Pulse Connect Secure vulnerabilities, saying they posed an "unacceptable risk."
The Pulse Secure attacks date back to vulnerabilities originally discovered in 2019, and mark the latest in a series of threat activities linked to the VPN vulnerabilities.
"In many cases victims were compromised using 2019 vulnerabilities on unpatched systems, however the attackers were capable of compromising fully patched systems and did so at a limited number of high value targets," said Stephen Eckels, reverse engineer, FLARE at Mandiant, via email.
Officials at Ivanti, the parent company of Pulse Secure, confirmed they have been working with customers on the latest series of attacks.
"The Pulse Connect Secure team is in contact with a limited number of customers who have experienced evidence of exploit behavior on their PCS appliances," company officials said in a statement. "The PCS team has provided remediation guidance to these customers directly."
CISA issued an urgent warning to federal agencies and others to take steps to mitigate the risk of attacks by April 23.
"We're aware of 24 agencies running the Pulse Connect Secure devices, but it's too early to determine conclusively how many have actually had the vulnerability exploited," a spokesperson for CISA said.
CISA said the threat activity is linked to three former and one newly discovered vulnerability CVE-2019-11510, CVE-2020-8260, CVE-2020-8243 and CVE-2021-22893. The threat actor is installing webshells onto Pulse Secure devices in order to bypass authentication, multifactor authentication, password logging and persistence through patching.
All organizations running Pulse Secure devices should follow steps in the CISA Activity Alert and Emergency Directive in order to identify potential intrusions and also run the Integrity Checker, a spokesperson for CISA said.
After running the tool, users should report any hash mismatches or newly detected files to the vendor and to CISA in order to help get a better understanding of how widespread the private and public sectors are exposed to this, the spokesperson added.
The Department of Defense is also aware of the vulnerabilities, a Pentagon spokesperson confirmed. "We are assessing the potential impact to the Defense Information Network and taking the appropriate steps to protect the data, network and systems."
Earlier this month, the FBI and CISA issued a warning about APT groups targeting Fortinet VPN devices.