Nation-State Actor Linked to Pulse Secure Attacks

3rd Party Risk Management , Breach Notification , Cybercrime

Vulnerabilities Exploited Include a Zero-Day in Ivanti’s Pulse Connect Secure

Nation-State Actor Linked to Pulse Secure Attacks

A new zero-day vulnerability in Ivanti’s Pulse Connect Secure products is being combined with recently patched flaws to attack U.S. federal agencies.

See Also: The Guide to Just-In-Time Privileged Access Management

The U.S. Cybersecurity and Infrastructure Security Agency, Ivanti and FireEye report that U.S. federal agencies and other entities have been compromised by two attack groups.

“Their primary goals are maintaining long-term access to networks, collecting credentials, and stealing proprietary data,” says Charles Carmakal, senior vice president and CTO with FireEye Mandiant. “We believe that multiple cyberespionage groups are using these exploits and tools, and there are some similarities between portions of this activity and a Chinese actor we call APT5.”

The attackers have been actively exploiting these vulnerabilities to compromise U.S. government agencies, critical infrastructure and private sector organizations, CISA says. FireEye adds the attacks are global, hitting a variety of government and private institutions.

“The investigation shows ongoing attempts to exploit four issues: The substantial bulk of these issues involve three vulnerabilities that were patched in 2019 and 2020. Customers are strongly recommended to review the advisories and follow the guidance, including changing all passwords in the environment if impacted,” Ivanti says.

The four vulnerabilities include a zero-day that was discovered in April and is tracked as CVE-2021-22893. The remaining flaws, CVE-2019-11510, CVE-2020-8260 and CVE-2020-8243 are older and were patched in 2019 and 2020, Ivanti says.

“The threat actor is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence,” CISA says. “The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.”

CISA did not say which federal agencies are affected by these attacks. The malicious activity affecting Pulse Secure started in June 2020 if not earlier, CISA says.

Ivanti has developed the Integrity Checker Tool that organizations can use to determine if malicious activity is taking place in a system due to these vulnerabilities. Ivanti is also developing a patch to fix the zero-day issue.

Pulse Connect Secure allows mobile and remote workers to access corporate resources with a secure and authenticated connection, the company says.

The Zero Day

The critical-rated zero-day if exploited, allows an unauthenticated, remote attacker to execute arbitrary code via unspecified vectors, Ivanti says. The company and CISA recommend all organizations using Pulse Connect Secure to update to software version 9.1R.11.4 immediately.

“The new issue, discovered this month, impacted a very limited number of customers. The team worked quickly to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system. PCS will issue a software update in early May,” Ivanti says.

The older vulnerabilities, which Ivanti patched previously, can allow remote code execution, remote arbitrary file access on the Pulse Connect Secure gateway, and the ability to upload a custom template to perform arbitrary code execution.

FireEye believes the attackers may have used the older vulnerabilities to gain an initial foothold within their targets.

“In many cases, we were not able to determine how actors obtained administrator-level access to the appliances. However, based on analysis by Ivanti, we suspect some intrusions were due to the exploitation of previously disclosed Pulse Secure vulnerabilities from 2019 and 2020 while other intrusions were due to the exploitation of CVE-2021-22893,” FireEye says.

China Connection

FireEye’s Mandiant team reports it is tracking 12 malware families associated with the exploitation of Pulse Connect Secure VPN services. Two threat groups labeled UNC2630 and UNC2717 are believed to be behind the attacks.

“We suspect UNC2630 operates on behalf of the Chinese government and may have ties to APT5,” FireEye says, adding “we do not have enough evidence about UNC2717 to determine government sponsorship or suspected affiliation with any known APT group.”

FireEye observed UNC2630 conducting attacks as early as August 2020 until March 2021.

FireEye says UNC2630 has been acting against U.S. industrial base networks where it harvested login credentials from Pulse Secure login flows. These credentials allowed the attacker to use legitimate account credentials to move laterally. The attackers maintained persistence by utilizing legitimate but modified Pulse Secure binaries and scripts on the VPN appliance, FireEye says.

FireEye cannot definitively connect UNC2360 to APT5 but says a third party has uncovered evidence connecting this activity to historic campaigns, which Mandiant tracks as Chinese espionage actor APT5.

FireEye says the 12 families all can circumvent authentication to gain backdoor access, inject webshells, maintain persistence and unpatch modified files and delete utilities and scripts after use to evade detection.

UNC2717 targeted European and other global government entities between October 2020 and March 2021, FireEye says.