SafeBreach Hacker’s Playbook Updated for US-CERT Alert (AA21-110A) Exploitation of Pulse Connect Secure Vulnerabilities
US Cert Alerts
SafeBreach Labs has updated the Hacker's Playbook™ with new attack methods for malware samples described in US-CERT Exploitation of Pulse Connect Secure Vulnerabilities which addresses multiple vulnerabilities successfully leveraged by two threat groups – APT5, a Chinese state-sponsored threat group and UNC2717, a yet unattributed group. Vulnerabilities in certain Ivanti Pulse Connect Secure products allow a remote authenticated threat actor to execute binary code via a server message block (SMB) or Pulse Secure Collaboration, granting them access to targets including several US and global government agencies, critical infrastructure entities, and other private sector organizations. Once access is established, the threat actors place webshells on the Pulse Connect Secure appliance to enable a wide variety of functions including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.
Due to the prevalence of remote work during the COVID-19 pandemic, VPNs have been one of the most common attack vectors used in the last two years worldwide by attackers and threat groups. Whether your organization is using Ivanti Pulse Connect Secure products or other VPN solutions, we encourage you to use this opportunity to conduct an in-depth analysis of this attack surface.
Listen to the details of the attack from SafeBreach Labs’ Tomer Bar:
4 newly developed playbook methods related to AA21-110A
25 existing playbook methods related to AA21-110A
What you should do now
The new attack methods for US-CERT AA21-110A are already in the SafeBreach Hacker’s playbook and ready to be run across your simulators. The Known Attack Series report is updated so you can run the specific attacks from this US-CERT alert. From the Known Attack Series report, select the US-CERT AA21-110A (Pulse Connect Secure) report and select Run Simulations which will run all attack methods.