More than 4,000 internet-accessible Pulse Connect Secure hosts are impacted by at least one known vulnerability, attack surface management firm Censys warns.
Touted as the most widely deployed SSL VPN solution, Pulse Connect Secure provides remote and mobile users with secure access to corporate resources. The VPN appliance is part of Ivanti’s portfolio, after it acquired Pulse Secure in 2020.
Pulse Secure appliances are known for being the target of choice for both cybercriminals and state-sponsored threat actors, and government agencies have issued multiple alerts to warn of continuous exploitation of unpatched vulnerabilities in these products.
Despite that, however, the number of vulnerable Pulse Connect Secure hosts remains high, Censys’ latest report shows: 4,460 out of 30,266 appliances exposed to the internet lack patches.
According to the report, roughly 3,500 of the vulnerable appliances are missing patches released in August 2021 to resolve six vulnerabilities, including a critical-severity file write bug that can be exploited to execute arbitrary code with root privileges.
Censys also discovered that over 1,800 of the vulnerable hosts have not been patched against three critical-severity issues that Pulse Secure resolved in May 2021, two weeks after warning that one of the flaws (CVE-2021-22893, CVSS score of 10) was being exploited in attacks.
The new findings illustrate the threat actor’s continued abuse of Internet Explorer flaws such as CVE-2020-1380 and CVE-2021-26411 to drop backdoors like BLUELIGHT and Dolphin, the latter of which was disclosed by Slovak cybersecurity firm ESET late last month.
Another key tool in its arsenal is RokRat, a Windows-based remote access trojan that comes with a wide range of functions that allow it to capture screenshots, log keystrokes, and even harvest Bluetooth device information.
