A critical zero-day security vulnerability in Pulse Secure VPN devices has been exploited by nation-state players to launch cyber-attacks against US defence, finance & government targets, as well as European victims, researchers have noted..
CVE-2021-22893 allows remote code-execution (RCE) & is being used in the wild by nation-state cyber-attackers to compromise VPN appliances in defence, finance, & government orgs.
Remote Code-Execution
The flaw, tracked as CVE-2021-22893, allows remote code-execution (RCE) & is being used in the wild to gain administrator-level access to the appliances, according to Ivanti research.
Pulse Secure stated that the zero-day will be patched early May; but meantime, the company worked with Ivanti (its parent company) to release both mitigations & the Pulse Connect Secure Integrity Tool, to help determine if systems have been impacted.
“The investigation shows ongoing attempts to exploit 4 issues: The substantial bulk of these issues involve 3 vulnerabilities that were patched in 2019 & 2020: Security Advisory SA44101 (CVE-2019-11510), Security Advisory SA44588 (CVE-2020-8243) & Security Advisory SA44601 (CVE-2020-8260),” according to a Pulse Secure statement. “The new issue, discovered this month, impacted a very limited number of customers.”
Zero-Day in Pulse Connect Secure VPNs
This newly found critical security issue is rated 10 out of 10 on the CVSS vulnerability-rating scale. It is an ‘authentication bypass vulnerability’ that can let an unauthenticated user to perform RCE on the Pulse Connect Secure gateway. It “poses a significant risk to your deployment,” explains the advisory, issued Tues.
“The ongoing COVID-19 crisis resulted in an overnight shift to remote work culture, and VPNs played a critical role to make this possible,” Bharat Jogi, Senior Manager of Vulnerability & Threat Research at Qualys, observed. “VPNs have become a prime target for cyber-criminals & over the past few months.”
Workaround-2104.xml
“The Pulse Connect Secure vulnerability with CVE-2021-22893…can be exploited without any user interaction,” he added.
The mitigations involve importing a file called “Workaround-2104.xml,” available on the advisory page. It disables the Windows File Share Browser and Pulse Secure Collaboration features on the appliance.
Blacklisting Feature
User can also use the blacklisting feature to disable URL-based attacks, the firm noted, by blocking the following URIs:
- ^/+dana/+meeting
- ^/+dana/+fb/+smb
- ^/+dana-cached/+fb/+smb
- ^/+dana-ws/+namedusers
- ^/+dana-ws/+metric
“The Pulse Connect Secure (PCS) team is in contact with a ltd. no. of customers who have experienced evidence of exploit behaviour on their PCS appliances,” according to Pulse Secure. “The PCS team has provided remedy guidance to these customers directly.”
Surge of Activity
According to other research from Mandiant, this & the other bugs are at the centre of a surge of activity by different threat players, involving 12 different malware families overall.
The malware is used for authentication-bypass & establishing backdoor access to the VPN devices, & for lateral movement. 2 specific advanced persistent threat (APT) groups, UNC2630 & UNC2717, are particularly involved, researchers concluded.
Links to China
“We observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments,” according to Mandiant, in a Tues. posting.
“In order to maintain persistence to the compromised networks, the actor utilised legitimate, but modified, Pulse Secure binaries & scripts on the VPN appliance.”
Tracked Tools
The firm tracks those tools as the following:
- Slow Pulse: Trepanised shared objects with malicious code to log credentials & bypass authentication flows within the legitimate Pulse Secure shared object libdsplibs.so, including multifactor authentication requirements.
- Radial Pulse & Pulse Check: Web shells injected into legitimate, internet-accessible Pulse Secure VPN appliance administrative web pages.
- Thin Blood: A utility used to clear relevant log files.
- Other capabilities: Toggling the filesystem between Read-Only & Read-Write modes to allow for file modification on a typically Read-Only filesystem; the ability to maintain persistence across VPN appliance general upgrades that are performed by the administrator; & the ability to un-patch modified files and delete utilities & scripts after use to evade detection.
US Defence-Sector
UNC2630 targeted US defence-sector companies as early as Aug. 2020, Mandiant noted. It added that the activity could be state-sponsored, most likely backed by China.
“We suspect UNC2630 operates on behalf of the Chinese Govt. & may have ties to APT5,” explains this analysis. “UNC2630’s combination of infrastructure, tools, & on-network behaviour appear to be unique, & we have not observed them during any other campaigns or at any other engagement. In spite of these new tools & infrastructure, Mandiant analysts noted strong similarities to historic intrusions dating back to 2014 & 2015 & conducted by Chinese espionage actor APT5.”
APT5 consistently targets defence & technology companies in the Asia, Europe & the US, Mandiant noted.
High Value Corporate Networks
“It has shown significant interest in compromising networking devices & manipulating the underlying software which supports these appliances,” Mandiant researchers commented.
“APT5 persistently targets high value corporate networks & often re-compromises networks over many years. Their primary targets appear to be aerospace & defence companies located in the US, Europe, & Asia. Secondary targets (used to facilitate access to their primary targets) include network appliance manufacturers & software companies usually located in the US”
The UNC2717 APT Connection
As for UNC2717, Mandiant linked Pulse Secure zero-day activity back to the APT in a separate incident in Mar., targeted against an unnamed European organisation. UNC2717 was also seen targeting global govt. agencies between Oct. & Mar.
As yet, there’s not enough evidence about UNC2717 to determine government sponsorship or suspected affiliation with any known APT group, Mandiant commented.
The tools used by this group include Hard Pulse, which is a web shell; Pulse Jump, used for credential-harvesting; and Radial Pulse. The firm also observed a new malware that it calls Lockpick, which is a trepanised Open SSL library file that appears to weaken encryption for communications used by the VPN appliances.
Loosely Related
All malware families in use in these campaigns seem to be ‘loosely’ related, states Mandiant.
“Although we did not observe Pulse Jump or Hard Pulse used by UNC2630 against US defence companies, these malware families have shared characteristics & serve similar purposes to other code families used by UNC2630,” researchers observed.
They then added, “Mandiant cannot associate all the code families described in this report to UNC2630 or UNC2717. We also note the possibility that 1 or more related groups is responsible for the development and dissemination of these different tools across loosely connected APT actors.”
A Favourite Target
Pulse Secure VPNs continue to be a top target for nation-state players. Last week, the FBI warned that a known arbitrary file-read Pulse Secure bug (CVE-2019-11510) was part of 5 vulnerabilities being attacked by the Russia-linked group known as APT29 (a.k.a. Cozy Bear or The Dukes).
APT29 is conducting “widespread scanning & exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access,” explains the US Feds.
US Dept. of Homeland Security
Also, earlier in April, the US Dept. of Homeland Security (DHS) urged companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, because in many cases, attackers have already exploited CVE-2019-11510 to hoover up victims’ credentials & now are using those credentials to move ‘laterally’ through organisations, DHS warned.
Last Autumn, the Cybersecurity & Infrastructure Security Agency (CISA) revealed that a Federal Agency had suffered a successful espionage-related cyber-attack that led to a backdoor, & multistage malware, being put onto its network.
Again, CVE-2019-11510 was used, used to gain access to employees’ legitimate Microsoft Office 365 log-in credentials & sign into an agency computer remotely.
Cyber-Hygiene Practices
“Almost without fail, the common thread with any APT is the exploitation of known vulnerabilities both new & old,” Yaniv Bar-Dayan, CEO & co-founder at Vulcan Cyber, outlined.
“Malicious activity, whether using a supply-chain vector or a VPN authentication bypass, is thwarted by good cyber-hygiene practices & serious blue teaming. Vulnerability management, or more importantly vulnerability remediation, is a cyber-security dirty job that is under-resourced & under-appreciated & businesses are paying the price.”
https://www.cybernewsgroup.co.uk/virtual-conference-may-2021/