Rewterz Threat Alert – LokiBot – Active IOCs
April 23, 2021Rewterz Threat Alert – SUPERNOVA Malware Linked with SolarWinds and Pulse Secure Exploits
April 23, 2021Rewterz Threat Alert – LokiBot – Active IOCs
April 23, 2021Rewterz Threat Alert – SUPERNOVA Malware Linked with SolarWinds and Pulse Secure Exploits
April 23, 2021Severity
High
Analysis Summary
Ivanti’s Pulse Connect Secure VPN Zero-day vulnerability was previously unknown. However, threat actors have continued to leverage multiple techniques to bypass single and multi-factor authentication on Pulse Secure VPN devices, maintain access via web shells, and established persistence across updates. The zero-day vulnerability (CVE-2021-22893), in combination with previous vulnerabilities, is being used to extract credentials, use legitimate but modified Pulse Secure binaries, and move laterally within target environments.
Impact
- Remote Code Execution
- URL-Based Attacks
Affected Vendors
Pulse Secure
Affected Products
Pulse Secure VPN appliances
Indicators of Compromise
SHA-256
- 133631957d41eed9496ac2774793283ce26f8772de226e7f520d26667b51481a
- d72daafedf41d484f7f9816f7f076a9249a6808f1899649b7daa22c0447bb37b
- cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68
- 1ab50b77dd9515f6cd9ed07d1d3176ba4627a292dc4a21b16ac9d211353818bd
- b1c2368773259fbfef425e0bb716be958faa7e74b3282138059f511011d3afd9
- c9b323b9747659eac25cec078895d75f016e26a8b5858567c7fb945b7321722c
- 06c56bd272b19bf7d7207443693cd1fc774408c4ca56744577b11fee550c23f7
- e63ab6f82c711e4ecc8f5b36046eb7ea216f41eb90158165b82a6c90560ea415
- b2350954b9484ae4eac42b95fae6edf7a126169d0b93d79f49d36c5e6497062a
- 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc
- a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1
- 9f6ac39707822d243445e30d27b8404466aa69c61119d5308785bf4a464a9ebd
- c774eca633136de35c9d2cd339a3b5d29f00f761657ea2aa438de4f33e4bbba4
- 7fa71a7f76ef63465cfeacf58217e0b66fc71bc81d37c44380a6f572b8a3ec7a
- 1d3ab04e21cfd40aa8d4300a359a09e3b520d39b1496be1e4bc91ae1f6730ecc
- f2b1bd703c3eb05541ff84ec375573cbdc70309ccb82aac04b72db205d718e90
- 224b7c45cf6fe4547d3ea66a12c30f3cb4c601b0a80744154697094e73dbd450
- 68743e17f393d1f85ee937dffacc91e081b5f6f43477111ac96aa9d44826e4d2
- 4c5555955b2e6dc55f52b0c1a3326f3d07b325b112060329c503b294208960ec
- 88170125598a4fb801102ad56494a773895059ac8550a983fdd2ef429653f079
- 1741dc0a491fcc8d078220ac9628152668d3370b92a8eae258e34ba28c6473b9
- 2610d0372e0e107053bc001d278ef71f08562e5610691f18b978123c499a74d8
- b990f79ce80c24625c97810cb8f161eafdcb10f1b8d9d538df4ca9be387c35e4
Remediation
Upgrade to the latest Pulse Connect Secure server software version 9.1R.11.4 and for more information visit https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/