These vulnerabilities are publicly known and are being used to scan and exploit vulnerable systems, obtain authentication credentials, and gain further access to systems.
The known vulnerabilities that SVR are exploiting are:
- CVE-2018-13379 – FortiOS SSL VPN web portal
- CVE-2019-9670 – Synacor Zimbra Collaboration Suite
- CVE-2019-11510 – Pulse Secure Pulse Connect Secure VPN
- CVE-2019-19781 – Citrix Application Delivery Controller and Gateway
- CVE-2020-4006 – VMware Workspace ONE Access
We strongly urge all organizations to immediately patch vulnerable devices. We recommend speaking with your IT team or patch management administrators - whether in-house or a managed service provider - to ensure the relevant patches have been installed and devices are up to date.
Furthermore, CISA released an alert on April 20th 2021 regarding the exploitation of Pulse Connect Secure VPN vulnerabilities by nation-state attackers. Successful exploitation of these vulnerabilities could allow an attacker to gain persistent system access into the appliance operating the vulnerable software. The vulnerabilities being exploited in this instance are:
- CVE-2019-11510 (as above)
- CVE-2020-8260
- CVE-2020-8243
- CVE-2021-22893 (no patch currently available – mitigations available from Ivanti)
We strongly encourage organizations using Pulse Connect Secure appliances to immediately run the Pulse Secure Connect Integrity Tool available in the references below, update to the latest software version, and investigate for malicious activity.
If you have concerns about your environment and need assistance, please contact CFC’s 24/7 Incident Response team through the CFC IR mobile application, or use these phone numbers:
- USA (local): 1 844 677 4155
- Canada (local): 1800 607 1355
- Australia (local): 1800 803 202
- UK: 0800 975 3034
- Rest of World: +44 (0) 208 798 3134
References
NSA, CISA, and FBI cybersecurity advisory
https://cyber.dhs.gov/ed/21-03/
https://www.ncsc.gov.uk/news/advice-on-pulse-connect-secure-rce-vulnerability
https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755