Skip to content
  • Why Deepwatch?
    • Squad Delivery Model
    • Deepwatch SecOps Platform
    • Deepwatch Secure Score
    • Deepwatch Labs
  • Solutions
    • Managed Detection and Response (MDR)
      • MDR Enterprise
      • MDR Essentials
    • Managed Extended Detection Response (MXDR)
    • Endpoint Detection and Response (EDR)
    • Vulnerability Management (VM)
    • Firewall Management Solution
  • Company
    • About
    • Leadership
    • Careers
    • Contact
  • Partners
    • Channel Partners
    • Technology Alliance Partners
  • Resources
    • Resource Library
    • Blog
    • Case Studies
    • eBooks
    • Whitepapers
    • Datasheets
    • Video
    • Newsroom
    • Events
  • Search
  • Ready to Talk?
04.22.21

Threat Report

CVE-2021-22893 – Pulse Secure VPN Zero-Day & Active Exploits

By Deepwatch, 

Executive Summary

Deepwatch is currently tracking and responding to multiple advisories stating that Pulse Secure VPN appliances are being exploited by both a zero day exploit in conjunction with other, older exploits. According to external intelligence sources, these attacks appear to be primarily targeting defense, government, and financial organizations.

Affected Versions:

  • PCS 9.0R3 and Higher

What Can You Do?

Deepwatch recommends following Secure Pulse’s advisory[1] to:

  1. Implement Pulse Secure’s provided workaround for the zero day vulnerability (CVE-2021-22893 can be mitigated by importing the Workaround-2104.xml file)
  2. Run the Pulse Connect Secure (PCS) Integrity Assurance to check the integrity of the Pulse Connect Secure appliance’s file system
  3. At your network perimeter, block the following URI paths known to be leveraged in these attacks:
    • ^/+dana/+meeting
    • ^/+dana/+fb/+smb
    • ^/+dana-cached/+fb/+smb
    • ^/+dana-ws/+namedusers
    • ^/+dana-ws/+metric

In May, a security patch is expected to be released as a final mitigation for the zero day vulnerability currently being exploited. 

What is Deepwatch Doing?

  • Managed Detection & Response team is reviewing customers who are currently sending Pulse Secure VPN logs to Splunk
    • Deepwatch is performing a 90 day look back of associated URI Indicators of Compromise (IOCs) across the customer base to identify potential targets
  • Vulnerability Management will be researching the presence of both the zero-day vulnerability and Pulse Secure VPN in customer environments.  As detections for this vulnerability were just released by both Tenable (Plugin ID 148847) and Qualys (QID 38838) this week, any given environment would require a new scan to validate the presence of the vulnerability.  Thus we will be both checking for whether the VPN exists, as well as if the vulnerability has shown up in any customer environments to date.  If found in the environment, we recommend following workarounds provided by Pulse Secure in their advisory mentioned above.




CVEs

  • CVE-2019-11510
  • CVE-2020-8260
  • CVE-2020-8243
  • CVE-2021-22893

IOCs

URI Paths

  • ^/+dana/+meeting
  • ^/+dana/+fb/+smb
  • ^/+dana-cached/+fb/+smb
  • ^/+dana-ws/+namedusers
  • ^/+dana-ws/+metric

Hashes

Per CISA’s advisory[3], the following files have been observed providing webshell functionalities:

  • DSUpgrade.pm
    • MD5: 4d5b410e1756072a701dfd3722951907
  • Licenseserverproto.cgi
    • MD5: 9b526db005ee8075912ca6572d69a5d6
  • Secid_canceltoken.cgi
    • MD5: f2beca612db26d771fe6ed7a87f48a5a
  • Compcheckresult.cgi
    • MD5: ca0175d86049fa7c796ea06b413857a3
  • Login.cgi
    • MD5: 56e2a1566c7989612320f4ef1669e7d5
  • Healthcheck.cgi
    • MD5: 8c291ad2d50f3845788bc11b2f603b4a
  • Libdsplibs.so
    • 416488b6c8a9bdb9c0cb592e36f44677

Sources

  1. https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/?kA23Z000000boUWSAY
  2. https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755 
  3. https://us-cert.cisa.gov/ncas/alerts/aa21-110a 
  4. https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html 
  5. https://github.com/fireeye/pulsesecure_exploitation_countermeasures/ 

Subscribe to the Deepwatch Insights Blog

Post navigation

Previous post

Microsoft Exchange Server Zero-Days

Next post

CVE-2021-21985 – Vulnerability Found in VMware vCenter Servers and Cloud Foundation

Deepwatch

DENVER
OFFICE & SOC

7800 East Union Avenue
Suite 900
Denver, CO 80237 USA
855.303.3033

TAMPA
OFFICE & SOC

4030 W Boy Scout Blvd.
Suite 550
Tampa, FL 33607 USA
855.303.3033

[email protected]

Why Deepwatch

  • Squad Delivery Model
  • Deepwatch SecOps Platform
  • Deepwatch Secure Score
  • Deepwatch Labs

Solutions

  • Managed Detection and Response (MDR)
  • MDR Essentials
  • MDR Enterprise
  • Managed Extended Detection Response (MXDR)
  • Endpoint Detection and Response (EDR)
  • Vulnerability Management (VM)
  • Firewall Management Solution

Company

  • About Us
  • Leadership
  • Careers
  • Contact

Resources

  • Resource Library
  • Insights Blog
  • News
  • Events

Partners

  • Channel Partners
  • Technology Alliance Partners

Contact

  • Let's Talk
  • Customer Login
  • Partner Login
GDPR Badge PCI Badge SOC2 Badge TRUSTe
LinkedIn Twitter YouTube YouTube

© Copyright 2023 Deepwatch incorporated

Trust | Sitemap | Privacy Policy