The Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive (ED) 21-03 that requires Federal civilian departments and agencies running Pulse Connect Secure products “to assess and mitigate any anomalous activity or active exploitation detected on their networks.”
“All affected agencies are required to use the Pulse Connect Secure Integrity Tool to check the integrity of their file systems, and if mismatches or new files are found, they must take mitigation actions and contact CISA for potential incident response activities,” CISA wrote in a press release.
This directive was issued due in part to observed active exploitation using disclosed vulnerabilities in Pulse Connect Secure products. Threat actors who successfully exploit these vulnerabilities can gain access and control of the enterprise network operating the vulnerable Pulse Connect Secure appliance.
According to CISA, the cyber agency has helped multiple entities since March 31, 2021 whose Pulse Connect Secure products have been exploited by a threat actor. These entities confirmed the intrusions after running the Pulse Connect Secure Integrity Tool, with the threat actors using access to place “webshells” on the Pulse Secure Connect Secure appliance.
“Over the last year, CISA has issued several alerts urging agencies, governments and organizations to assess and patch Pulse Connect Secure vulnerabilities,” said Acting CISA Director Brandon Wales. “This Emergency Directive reflects the seriousness of these vulnerabilities and the importance for all organizations – in government and the private sector – to take appropriate mitigation steps.”
CISA also issued an activity alert to encourage public and private sector organizations to take similar steps to ED 21-03.