The VPN Exploitation Saga Continued

July 7, 2021 By Chris Beinecke

On April 20, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive (ED) 21-03

“. . . federal civilian departments and agencies running Pulse Connect Secure products, assess and mitigate any anomalous activity or active exploitation detected on their networks. All affected agencies are required to use the Pulse Connect Secure Integrity Tool to check the integrity of their file systems, and if mismatches or new files are found, they must take mitigation actions and contact CISA for potential incident response activities.”

“Over the last year, CISA has issued several alerts urging agencies, governments and organizations to assess and patch Pulse Connect Secure vulnerabilities,” said Acting CISA Director Brandon Wales. “This Emergency Directive reflects the seriousness of these vulnerabilities and the importance for all organizations – in government and the private sector – to take appropriate mitigation steps.” Pulse Connect Secure products are widely used for SSL remote access.

This vulnerability was tracked as CVE-2021-22893 (with a maximum 10/10 severity score) and was exploited by state-sponsored threat actors targeting dozens of US and EU government, defense and financial organizations.

Also on April 20th, FireEye Threat Research revealed that suspected Advanced Persistent Threat (APT) actors were leveraging Authentication bypass techniques as well as a Zero Day threat for VPN Vendor Pulse Secure.

While these mitigations were temporary, on May 3rd, 2021, Pulse Secure released security updates for CVE-2021-22893 that provide vulnerability fixes for Pulse Connect Secure 9.1R11.4. Swish advises all clients to upgrade immediately to mitigate these critical vulnerabilities. Swish is available to assist clients on VPN best practices and discuss our experience with agencies successfully mitigating all hardware VPN vulnerabilities which have increased tremendously, in both quality and quantity, in the migration to remote work.

Swish is continuously engaged with federal customers in guiding their cybersecurity architectures while maintaining close relations with top vendors in the space to ensure customer success. The Swish team, under the cybersecurity pillar of our Center of Excellence, is ready to assist in any organization’s self-assessment as they journey to a more secure enterprise.

To learn more, contact us!