HC3 TLP White Alert – Exploitation of Pulse Connect Secure Vulnerabilities

Executive Summary

Since June 2020, unidentified threat actors have targeted vulnerabilities in certain Ivanti Pulse Connect Secure products. Threat actors gained initial access through the targeting of the following vulnerabilities: CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and CVE-2021-22893.
Upon exploitation, the threat actors “place webshells on the Pulse Connect Secure appliance for further access and persistence.” The threat actors’ access can allow them to perform: authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.

Report

Alert (AA21-110A) Exploitation of Pulse Connect Secure Vulnerabilities
https://us-cert.cisa.gov/ncas/alerts/aa21-110a

Impact to HPH Sector

This vulnerability is continuing to affect organizations using Ivanti Pulse Connect Secure products within U.S. government agencies, critical infrastructure entities, and other private sector organizations. While the impact to the HPH Sector is currently unknown, the threat actors’ targeting of critical infrastructure leaves the HPH as a potential target. Please remain informed on updates to these vulnerabilities as new information is reported.

References

CISA – Samples of Malware Targeting Pulse Secure Devices
https://us-cert.cisa.gov/ncas/current-activity/2021/07/21/malware-targeting-pulse-secure-devices

Pulse Secure – KB44755 - Pulse Connect Secure (PCS) Integrity Assurance Tool https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755

CISA – STIX-formatted list of indicators of compromise associated with the vulnerabilities
https://us-cert.cisa.gov/sites/default/files/publications/AA21-110A.xml

HHS – Active Exploitation of Pulse Secure Zero-Day Vulnerabilities by Multiple Threat Actors
https://www.hhs.gov/sites/default/files/pulse-secure-vulnerabilities-analyst-note.pdf

Contact Information
If you have any additional questions, please contact us at HC3@hhs.gov.

Download the HC3 Alert below. 

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

Senior Advisor for Cybersecurity and Risk, AHA

jriggi@aha.org

(O) +1 202 626 2272

(M) +1 202 640 9159

Related Resources

Advancing Health Podcast
Public
On this AHA Advancing Health podcast, John Riggi, AHA senior advisor for cybersecurity and risk, speaks with his former FBI colleague Mike Orlando, acting…
Advisory
Public
Microsoft has released out-of-band security updates to address a remote code execution (RCE) vulnerability — known as PrintNightmare (CVE-2021-34527) — in the…
Advancing Health Podcast
Public
Hospitals and health systems have frequently been the target of high-impact ransomware attacks. In this podcast, John Riggi, AHA senior advisor for…
Letter/Comment
As a national critical infrastructure designated by the U.S. Department of Homeland Security, the healthcare sector faces an urgent need to strengthen the…
Letter/Comment
As a national critical infrastructure designated by the U.S. Department of Homeland Security, the healthcare sector faces an urgent need to strengthen the…
Advisory
Public
This cyber advisory reflects the FBI’s May 20 Conti alert, along with resources from AHA and other organizations.