Skip to main content

Pulse Secure VPN Zero-Day: Now Identified, Located, and Scored in SecurityScorecard’s Platform

Ryan Sherstobitoff, Julian Norton and the Investigations & Analysis Team (I&A)
Posted on April 26th, 2021

On April 20, 2021, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) issued a Cyber Activity Alert (AA21-110A) and an Emergency Directive (21-03) regarding vulnerabilities in Pulse Connect Secure products, which are popular virtual private network (VPN) remote access solutions. Pulse Secure, owned by Ivanti, also released an alert. These vulnerabilities are currently being exploited and have affected both government agencies and private companies.

These vulnerabilities are known as zero-day vulnerabilities because they were exploited before a patch is available to mitigate them. Zero-day attacks happen before anyone, often even the software developer itself, is even aware of the existence of the vulnerabilities, let alone devised a patch or other mitigation strategy.

SecurityScorecard has used its proprietary technology to scan the internet for publicly available data to find instances of this zero-day. We then added the results of this scanning as a new product feature to filter by the newest vulnerability identified by CISA and Pulse Secure, CVE 2021-22893, within the product allowing users to quickly determine whether their own organization and/or their vendors may have vulnerable instances of this vulnerability arising from compromised versions of the Pulse Secure product. The following is a screenshot of this new feature:

SecurityScorecard’s ability to quickly scan the internet for newly identified CVE’s and publish the findings across its platform (currently scoring over 5 million entities) demonstrates the power of our data (including years of historical data) which drive the ultimate ratings. Users can quickly identify if they, or an organization they are following (e.g., vendor or supplier), have been impacted by this previously unknown vulnerability and quickly take steps to mitigate this risk.

The map below is a scan from April 25, 2021, showing IP addresses where the vulnerability has been detected.

SecurityScorecard’s Investigations & Analysis (I&A) team has identified malicious activity associated with the same IPs where the CVE has been identified. In fact, we have found indications that Advanced Persistent Threat (“APT”) actors may be exploiting these vulnerabilities and the I&A team continues to research associated malware and Techniques, Tactics & Procedures to better understand the overall threat campaign. We intend to release research on this topic within the coming week.

Return to Blog
Join us in making the world a safer place.