Skip to main content

Client alert: Pulse Secure VPN

Not your “run of the mill” patch update

Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)

By Susan Malhotra, CPCU | June 1, 2021

Read our perspective on the Pulse Secure virtual private network event.

What happened?

On April 20, 2021, Pulse Secure (Ivanti) issued an initial advisory to clients to let them know about four zero day vulnerabilities within Ivanti’s Pulse Connect Secure (PCS) SSLVPN Appliance. This is a remote virtual private network appliance. Three of the vulnerabilities were previously known and patches were issued in 2019 and 2020 (CVE-2019-11510, CVE2020-8243, CVE2020-8260). The fourth vulnerability was discovered in April 2021 (CVE-2021-22893). The initial advisory released the Pulse Connect Secure Integrity Tool to assist customers in determining if their systems had been impacted while waiting for the new patch to be released. On May 3, Pulse Secure released their follow-up patch advisory to address the fourth vulnerability.

A forensic investigation has thus far detected twelve different malware strains utilizing these vulnerabilities. Given the age of some of the vulnerabilities, it is possible threat actors have utilized them as far back as 2019. The focus of the attacks have been U.S. and European defense industrial base networks and financial organizations. The investigation has uncovered that the threat actors harvested active directory credentials and bypassed the multi-factor authentication (MFA) process for Pulse Secure devices to access and remain within victim networks.

It is suspected that at least one of the two main threat actors detected have ties to APT5, a threat group that has been known to operate on behalf of the Chinese government. This suspicion is based on “strong similarities” to prior attacks by the group.1

What is so unique about these exploits?

On the surface, these exploits and the subsequent patches, may appear to be a “run of the mill” exploit/patch cycle, especially because this incident did not make big headlines like other recent events. (SolarWinds, Microsoft Exchange, Accellion, Colonial Pipeline). However, just below the surface, it is not so “run of the mill”, as the malware did more than just gain access by working around the MFA that the Pulse Secure VPN was intended to provide. Once inside the target’s system, the threat actors cleaned their tracks and left little to no trace behind. Detection was challenging, as the malware went so far as to unpatch modified files and delete utilities and scripts after use. Further, the malware was engineered to blend in with its surroundings and survive software updates and factory resets. The malware installed what is called a “webshell”, a file that looks legitimate, but is actually a remote control receiver for the threat. It allows the threat actor to move around freely, searching for key data and then transferring it out to the threat actor. The threat actors evaded detection by utilizing local routers in the country of the victim.

How does it work?

Think of your organization’s network as a house. Vulnerabilities are little cracks in the foundation of that house and malware is a very hard to detect ant. The ant is able to enter the house through the crack without detection and been engineered to get around the ant trap (aka MFA). The practically invisible ant is free to scurry around in the walls of the house, leaving no trace as it sweeps up behind itself. The ant even has a cell phone with him so it can receive instructions from outside and share information.

What should you do now?

First, determine if you are using this specific appliance (Pulse Secure VPN). Second, if you are using this specific appliance, the Cybersecurity and Infrastructure Security Agency (CISA) recommends a number of mitigation steps to secure against this threat (CISA Alert & Mitigations). To start, we advise the following:

  1. Review the Pulse Secure Connect Integrity Tool Quick Start Guide and Customer FAQs
  2. Run the Pulse Secure Connect Integrity Tool.
  3. If the organization discovers exploitation activity, they should assume a network identity compromise and follow incident response procedures.
  4. Initiate review of critical vendors to determine if they have had any exploitation activity.
  5. If you or a vendor of yours discovers exploitation activity, consider placing your cyber insurance carrier on notice.

Insurance considerations

Your cyber insurance carrier will provide guidance on what steps to take to respond to this incident, including taking inventory of the data that may have been exposed. It is important to note that in general, reasonable suspicion of unauthorized access into an organization’s network triggers coverage for incident response expenses, including, but not limited to, the costs to hire an outside law firm, an IT forensics firm to determine the scope of the compromise, and a public relations firm. If it is determined that a compromise occurred, the law firm retained on your behalf should advise on your reporting obligations to clients and regulators.
Further, this incident should serve as yet another reminder that even large technology companies like Ivanti / Pulse Secure can be impacted, in this case through their software application. Technological safeguards only go so far. It is therefore a good time to review your cyber insurance coverage with your broker or to consider a risk transfer strategy if one is not already in place.

Thus far we have not seen specific inquiries from the insurance market around this event, though that is always subject to change. However, it further highlights the underwriters’ need for detailed information and clarification around numerous technical aspects of a cyber security program. This event highlights specifically the potential concerns around patch management, event management, use of multifactor authentication (MFA) and even vendor management.


Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast Inc. (in the United States) and Willis Canada, Inc.




Lead Broker, Cyber / E&O

Contact Us