Pulse Connect Secure Vulnerability Used to Target Water Agency, Verizon

The trend of attacks against critical infrastructure continues as news broke overnight that Verizon and one of the largest water agencies in the US were reportedly among the group targeted in the hack of Pulse Connect Secure devices. An out-of-band advisory warning that foreign threat actors were targeting previously known vulnerabilities in Pulse Secure was issued on April 20 but the scale of the hack is now starting to become clear. Please find below a comment from Scott Caveza, research engineering manager, Tenable.

“On April 20, Pulse Secure released an out-of-band advisory warning that foreign threat actors were targeting three previously known vulnerabilities (CVE-2019-11510, CVE-2020-8243 and CVE-2020-8260) along with a newly discovered critical authentication bypass zero-day vulnerability (CVE-2021-22893). In the months since, we are now learning about new victims in these attacks as we continue to see attackers leveraging well-known vulnerabilities in their attack chains. CVE-2019-11510, which has been exploited in the wild since details became public in August 2019, was one of the Top 5 vulnerabilities in Tenable’s 2020 Threat Landscape Retrospective report because of its ease of exploitation and widespread exploitation.

“Bad actors are targeting core infrastructure and organisations very aggressively. Patching and securing critical devices must remain a top priority for defenders who should be implementing compensating controls wherever this is not practical. Attackers have had continued success exploiting known vulnerabilities, many with easily identified public proof-of-concept code and patches readily available. Among other things, attackers are targeting networks through VPNs to gain entry into private networks.” — Scott Caveza, research engineering manager, Tenable