Pulse Secure Connect PCS VPN Hack Explained

It’s time to check your Pulse. I mean your Pulse Connect Secure VPN appliance. Hackers have been exploiting several previously known and one zero-day vulnerabilities affecting Pulse Connect Secure aka PCS VPN appliances. They are targeting defense, government, and financial organizations around the world. According to FireEye, several threat actors have been exploiting the four PCS vulnerabilities and using about a dozen different malware families to circumvent authentication and gain backdoor access to the PCS devices. Pulse Connect Secure has committed to delivering a patch early next month, and that means as soon as the proof-of-concept hack is published, hackers will pile on and target the entire PCS install base in the meantime.

In this article, I wanna discuss the hack details, who’s behind it, and what it means for you as a cybersecurity professional. Let’s talk.

Pulse Secure VPN Hack Background

So, if you didn’t know, PCS is a layer 3 VPN appliance that supports both SSL and IPSec ESP protocols for encryption. You can use Pulse Secure desktop or mobile clients to connect to PCS appliances. PCS appliance is available in a prepackaged rack server as well as a in a virtual appliance form factor that you can run on a hypervisor. Pulse Secure VPN competes with Cisco and a whole bunch of firewall and VPN companies. During my research, I found out that the attackers have been at it since August 2020 and up until March 2021, so we’re talking about a period of 7 months without getting caught. So, what makes Pulse Secure a hacking target? Well, we can be sure that work from home frenzy due to the pandemic and the underlying remote access requirement made them a great target. In terms of the hack details, hackers leveraged a total of four vulnerabilities. Three of them have to do with arbitrary file disclosure, code injection, and unrestricted file upload. These can be exploited by unauthenticated hackers but thanks goodness they are already patched by the PCS.  Now, the last vulnerability happens to be a zero-day and not much is known about it today however it is likely exploitable by an unauthenticated remote attacker, something that requires no user interaction, and allows arbitrary code execution.

Pulse Secure VPN Hack Sequence of Events

Anyhow, here is the sequence of events. Number one. Trojanize objects with malicious code are used to log credentials and bypass authentication flows, including multifactor authentication. Number two. Webshells are inserted into Pulse Secure VPN appliance admin pages. The webshells perform a bunch of work by branching code execution based on the context and install newer webshells. Let me unpack. So, the trojanized object is known as SLOWPULSE whereas the webshells are known as the RADIALPULSE and PULSECHECK. The SLOWPULSE is used for bypassing the RADIUS and LDAP authentication and even forcefully pass authentication when a specific hardcoded backdoor key is provided. The same malware also allows hijacking and dumping the username and password for the legit accounts as they connect and authenticate into a PCS appliance. RADIALPULSE is used to steal credentials whereas PULSECHECK enables arbitrary code execution. Both RADIALPULSE and PULSECHECK are perl webshell scripts. Anyhow, so how did the hackers get access to the PCS appliance, to begin with? So far, there is no clear answer. I am assuming that hackers got admin-level access to the PCS appliances by using the zero-day vulnerability. Once inside, hackers were able to harvest legit remote access credentials and used them to move laterally into the target systems.

Pulse Secure VPN Hack Attribution

As per FireEye, there is at least one threat actor that can be directly attributed to the Chinese APT based on the Tactics, Techniques and Procedures or TTPs, but the analysis is still ongoing.

Pulse Secure VPN Hack for Cyber Professionals

Now, what does it all mean for you as a cybersecurity professional? So, if you happen to be the lucky admin to have a Pulse Secure VPN appliance, you can use Pulse Secure’s Integrity Assurance utility to understand if your device is compromised or not. Now, regardless of the device-level compromise, you should also reset all user and even service account passwords. The fact is that there is no patch available for the zero-day vulnerability just yet, but there is a workaround provided by the PCS where you can import an XML configuration file that mitigates the attack surface by disabling the two attack vectors and those are windows file share browser and pulse secure collaboration features. You can also look at the zero-day vulnerability page on the pulse secure website for more detail. Based on my quick research, pulse secure VPN has a really poor reputation in the market.

Pulse Secure VPN Alternatives

So, if you use Pulse today, this may be a good time to look at an alternative such as the Cisco AnyConnect VPN solution. Alternatively, you can also evaluate an open-source solution such as OpenVPN. Now, here is my final thought. The massive shift toward remote work means more people are using remote VPN to connect into the corporate networks and the hackers have doubled down on that trend with hacks on the rise targeting the work from home employees.

Now, since SolarWinds, every time there is a hack, I am curious to see if there is a supply chain compromise involved or not. Currently, there seems to be no evidence that backdoors were introduced through a supply chain compromise, but frankly, I won’t be surprised if that turns out to be the attack vector where it all started as opposed to the zero-day vulnerability.