Over the past few months, several cyberespionage groups, including one believed to be tied to the Chinese government, have been breaking into the networks of organizations from the United States and Europe by exploiting vulnerabilities in VPN appliances from zero-trust access provider Pulse Secure. Some of the flaws date from 2019 and 2020, but one was unknown until this month.
“Mandiant is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices,” researchers from Mandiant, the MDR and incident response arm of security vendor FireEye, said in a newly released report. “These families are related to the circumvention of authentication and backdoor access to these devices, but they are not necessarily related to each other and have been observed in separate investigations. It is likely that multiple actors are responsible for the creation and deployment of these various code families.”
Pulse Secure VPN zero-day vulnerability
While investigating breaches this year at various defense, government and financial organizations from around the world, the Mandiant team kept finding malicious activity in the compromised environments tracing back to their Pulse Secure VPN appliances where hackers had obtained administrative access. The experts couldn’t determine how the hackers gained administrative credentials, so it contacted Pulse Secure and its parent company Ivanti. Their investigation concluded that the attackers were likely using known vulnerabilities found and patched over the past two years, but also a previously unknown one.
Tracked as CVE-2021-22893, the flaw allows attackers to bypass authentication on the Pulse Connect Secure (PCS) VPN solution and execute arbitrary code. The vulnerability is rated critical with a severity score of 10 on the CVSS scale. A patch for the issue will be included in version 9.1R.11.4 of the PCS server, which has not been released yet. Until then, the company provided a workaround in the form of an .xml configuration file that can be imported into the appliance. The file will disable the Windows File Share Browser and Pulse Secure Collaboration features of the appliance to block the attack vector until the full patch is released.
There are some limitations to the workaround. If the VPN appliance is behind a load balancer, disabling the Collaboration feature might affect the balancer. The workaround also doesn’t work on PCS versions 9.0R1 to 9.0R4.1 and 9.1R1 to 9.1R2, so appliances running those versions of the software need to be upgraded before applying the mitigation. The workaround is also not recommended on license servers and the company advises placing such servers on management VLANs or behind a firewall that enforces IP-based access controls.
Pulse Secure has also released a tool that allows administrators to check the integrity of the file system of their PCS appliances to detect any malicious file modifications or additional files deployed by hackers.
The Pulse Secure VPN malware
FireEye believes multiple APT groups are exploiting vulnerabilities in the Pulse Secure VPN appliances to deploy different types of malware and persistence tools. One of the groups is tracked as UNC2630, and it primarily targeted organizations from the US defense industrial base between August 2020 and March 2021.
The researchers suspect that UNC2630 operates on behalf of the Chinese government and its techniques and procedures have strong similarities to those of a Chinese cyberespionage group tracked as APT5 that has been known to target aerospace and defense companies by modifying the images of compromised hardware appliances or technology platforms. APT5 hacking activity goes as far back as 2014.
FireEye attributes seven distinct malware tools discovered during the recent Pulse Secure breaches to UNC2630. These are dubbed SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE and PULSECHECK.
SLOWPULSE is a Trojan deployed by modifying existing shared files on the compromised appliances with the goal of capturing credentials and bypassing various forms of two-factor authentication in existing login flows. This allows attackers to then move laterally through those networks using the captured credentials.
RADIALPULSE and PULSECHECK are web shells that are deployed on internet-accessible VPN appliances to give attackers remote command execution. THINBLOOD is a tool used to clean evidence from log files on the affected appliances.
Most of the other tools are used to maintain persistence by modifying existing binary files or scripts on the compromised VPN appliances. To achieve this, the attackers toggle the filesystem of the appliance to read-write mode from its default read-only.
A second group that targeted PCS appliances to hack into global government agencies between October and March is tracked as UNC2717. FireEye doesn’t have enough information at this time to connect this group to a specific government or a known APT group. The tools used by this group as HARDPULSE, a web shell; QUIETPULSE, a utility that allows executing shell commands and PULSEJUMP, a credential harvesting script.
During their investigations, FireEye’s experts also found a malicious modification of the OpenSSL library with the goal of impacting the random number generation that is critical to cryptographic operations. The company dubbed this Trojanized library LOCKPICK, but does not have enough evidence to attribute it to either UNC2717 or UNC2630.
FireEye has released a collection of Snort and Yara detection rules for these attacks, as well as many indicators of compromise, file hashes, URLs, file names and MIRE ATT&CK techniques that can be used by security teams to assess if their appliances have been compromised.
“Organizations should examine available forensic evidence to determine if an attacker compromised user credentials,” the company advised. “Ivanti highly recommends resetting all passwords in the environment and reviewing the configuration to ensure no service accounts can be used to authenticate to the vulnerability.”