Pulse Secure: When Your Defenses Are Turned Against You
Introduction
Vulnerabilities in enterprise network and security devices are being aggressively targeted by APT and ransomware threat actors as initial access vectors into enterprises. Pulse Secure VPN devices have proven to be the most popular targets, and their ongoing exploitation highlights how devices that were intended to defend the network are increasingly being exploited to cause damage.
Pulse Secure also highlights the critical role that firmware plays in today’s enterprise attack surface. Security teams need to understand what makes these vulnerabilities unique, how they are being attacked in the wild, and the key steps to mitigate their risk.
Pulse Secure Vulnerabilities Attacked in the Wild
To date, attackers have primarily focused on five vulnerabilities related to critical Pulse Secure devices that span arbitrary file reads, remote code execution, authentication bypass and other high-severity issues. (Read CVE-2019-11510, CVE-2019-11539, CVE-2020-8243, CVE-2020-8260, and CVE-2021-22893 for details). On October 7th, 2019, the NSA Issued a Cybersecurity Advisory (PDF) detailing the use of CVE-2019-11510 and CVE-2019-11539 by multiple nation-state APT. These vulnerabilities enable unauthenticated attackers to capture keys and inject commands, ultimately enabling the actors to gain initial access to networks, spread laterally, and deliver additional malware payloads. These vulnerabilities became very popular with a variety of APT actors, and CISA has subsequently published multiple alerts highlighting the ongoing exploitation of these vulnerabilities by threat actors from Iran, Russia, and China.
These same techniques were quickly adopted by some of the most destructive ransomware groups in the wild including Maze, Netwalker, and REvil. REvil in particular is well-known for extorting vast amounts of money from victims, including an $11 Million ransomware extorted from meat processor, JBS.
Unfortunately, attackers were not done with Pulse Secure, and in April of 2021, reports surfaced that APT actors were targeting defense, government, and financial organizations via a new zero-day Pulse Secure vulnerability CVE-2021-22893.
Key details of these vulnerabilities are summarized in the table below:
CVE / CVSS | CVSS Score / Severity | Associated Threat Actors | Affected Platforms |
CVE-2019-11510 10.0 Critical | 10.0 Critical | APT Actors, BlackKingdom Ransomware, Groove Ransomware, Maze Ransomware, Netwalker Ransomware, REvil Ransomware | Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 |
CVE-2019-11539 | 7.2 High | APT Groups, REvil Ransomware | Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1 |
CVE-2020-8243 | 7.2 High | APT Actors, Ransomware Actors | Pulse Connect Secure before 9.1R8.2 |
CVE-2020-8260 | 7.2 High | APT Actors, Ransomware | Pulse Connect Secure before 9.1R9 |
CVE-2021-22893 | 10.0 Critical | APT Actors, Ransomware | Pulse Connect Secure 9.0R3/9.1R1 and higher |
Key Considerations for Protecting Pulse Secure Devices
Pulse Secure devices have become one of the most active areas of the enterprise attack surface, and this requires security teams to be proactive in terms of identifying and mitigating their risk. There are a few items that teams should consider:
- Understand the Full Attack Surface – Pulse Secure is popular enterprise VPNs in the world today, and this large pool of potential targets is one of the reasons attackers continue to target the devices and search for new vulnerabilities. Large organizations may have many Pulse Secure devices and any one of them could provide a path into the enterprise. Attackers have tools to actively discover vulnerable devices, so it is imperative that security teams have visibility into all their many Pulse Secure devices.
- Prioritizing Pulse Secure Vulnerabilities – Vulnerabilities in networking or security infrastructure may not fall under the purview of traditional vulnerability management teams, which often focus on patches to traditional operating systems and applications. Security teams may need to add tools or scans to proactively identify Pulse Secure vulnerabilities and escalate responses for those specific vulnerabilities being exploited in active attacks.
- Integrity Must Be Continually Monitored – The recent zero-day exploits of Pulse Secure devices should serve as a reminder that even the most fastidious patching can’t address all risks. In order to detect such emerging threats, organizations must be able to proactively monitor the integrity of their devices to ensure that they have not been compromised or altered.
Identify, Verify, and Fortify Your Pulse Secure Devices
Eclypsium recently released Eclypsium for Network Devices, a solution that gives organizations the visibility and control to easily and consistently protect their Pulse Secure devices from the firmware layer up. With Eclypsium for Network Devices, security teams can:
- Identify Pulse Secure Devices and Firmware – Eclypsium’s distributed discovery allows teams to proactively find all their Pulse Secure devices to ensure they have a complete picture of their attack surface. The solution provides insight into the firmware version that is currently running on the device and allows teams to search for specific versions.
- Verify Pulse Secure Firmware Versions, Integrity and Vulnerability States – Next, security teams need to identify any vulnerabilities or signs of compromise in their Pulse Secure devices. Eclypsium finds the specific vulnerabilities that are being attacked in real-world APT and ransomware campaigns. This ensures that staff can focus on the issues that really matter without generating large volumes of low-value vulnerability alerts. Next, Eclypsium can verify the integrity of the firmware to ensure that it has not been altered. This includes the ability to compare the firmware to know good versions of firmware as well as detecting known and unknown threats.
- Fortify Pulse Secure Devices Through Firmware Patching – The most fundamental safeguard is assuring that the patch levels in your Pulse Secure devices are current, up-to-date, and no longer vulnerable. Eclypsium helps operational teams determine how patches should be applied and how configurations should be hardened.
These key capabilities arm security teams with the tools they need to reliably protect their Pulse Secure devices and the users and assets that they support. As with any active area of cybersecurity, attackers are constantly evolving and seeking out new vulnerabilities and techniques. Eclypsium specializes in the critical areas of firmware security and network devices, and our industry-leading research ensures organizations stay up to date even as new risks and threats emerge.
Visit https://eclypsium.com/enterprise-firmware-security/network/ to learn more about Eclypsium for Network Devices or to download a product brief.