Amid high-risk Pulse Secure vulnerabilities, the Cybersecurity Infrastructure and Security Agency (CISA) has directed federal agencies to run a tool on all devices operating Pulse Connect Secure products to check for active exploits allegedly tied to Chinese government backed operatives.
The Emergency Directive 21-03 is the third such order CISA has issued in the past five months, or since the SolarWinds Orion incident and the Microsoft Exchange Hafnium attacks. The latest warning comes immediately following a CISA alert regarding vulnerabilities discovered in Pulse Secure's virtual private networking (VPN) software.
Pulse Connect Secure is a popular remote access solution that, if exploited, hackers can use to implant web shells on an appliance to gain repeated access into the system.
U.S. Federal Government Agencies: Mitigating Pulse Secure Vulnerability Risks
All federal agencies have been ordered to compile a status report by 5 p.m. EDT on Friday, April 23, 2021 with the following information:
- List all instances of Pulse Connect Secure virtual and hardware appliances hosted by the agency or a third party on the agency’s behalf.
- Deploy and run the Pulse Connect Secure Integrity Tool on every identified instance of a Pulse Connect Secure appliance.
CISA advised agencies that it is “critical” to run the tool even if the appliance is operating the latest version of the solution and all updates have been applied. If an agency’s version of Pulse Connect Secure is not supported by the tool, an upgrade to the latest version must be installed before running the tool. Agencies are required to run the tool every 24 hours until a patch is issued or apply a workaround provided by Pulse Secure. Should the tool detect an issue, CISA advised agencies to isolate the device from the network and report the incident. A final patch to address the vulnerability is expected in May 2021.
CISA said it is coordinating its response with the Federal Risk and Authorization Management Program (FedRamp), the government-run program standardizing security assessments for cloud products and services. All FedRAMP authorized cloud service providers (CSPs) have been told to coordinate with their agency customers.
“Each agency is responsible for inventorying all their information systems hosted in third-party environments (FedRAMP Authorized or otherwise) and contacting service providers directly for status updates pertaining to, and to ensure compliance with, this Directive,” CISA wrote. “If instances of affected versions have been found in a third-party environment, reporting obligations will vary based on whether the provider is another federal agency or a commercial provider,” the alert said.
Mitigating Pulse Secure Vulnerabilities: Department of Homeland Security Tunes In
The directive will remain in place until all agencies operating Pulse Connect Secure servers have applied patches that resolve all currently exploited vulnerabilities. CISA said it will provide the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB) with an update by May 10, 2021.
FireEye/Mandiant first reported the weaknesses in Pulse Secure products in an April 20, 2021 blog post. The security provider said it is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices. At least two Chinese state-backed threat actors are suspected of exploiting the bug. While FireEye/Mandiant said the actors’ methods and infrastructure suggest “strong similarities” to prior campaigns conducted by APT5, a Chinese linked threat actor, it acknowledged that no clear evidence to confirm its suspicion has been uncovered.
In a separate alert dated April 22, 2021, CISA said it had identified the Supernova malware during an incident response that dates to at least March 20, 2021. In that case, the threat actor connected to the entity’s network via a Pulse Secure virtual private network (VPN) appliance, moved laterally to its SolarWinds Orion server, installed malware referred to by security researchers as Supernova and collected credentials, CISA said.