Alleged Chinese hackers have accessed “dozens of government, finance and defense organisations in the US and Europe” by exploiting a new critical (CVSS 10) vulnerability in Ivanti’s Pulse Secure VPN.
The vulnerability lets an unauthenticated user perform remote arbitrary file execution on the Pulse Connect Secure gateway. Pushing an out-of-cycle security advisory live today (April 20) Pulse Secure said the vulnerability “poses a significant risk to your deployment.” Users should mitigate, check for IOCs urgently. There’s no patch yet.
At least two groups are using the vulnerability (CVE-2021-22893) along with multiple techniques for bypassing MFA, and previously unseen malware and techniques that persist across upgrades and factory resets on Pulse Secure devices, FireEye said in its write-up.
It pointed to a group tracked as UNC2630 (with suspected ties to China’s APT5) and said it has identified 12 families of malware specific to Pulse Secure appliances used in this campaign.
“Early this year, Mandiant investigated multiple intrusions at defense, government, and financial organizations around the world. In each intrusion, the earliest evidence of attacker activity traced back to DHCP IP address ranges belonging to Pulse Secure VPN appliances in the affected environment,” the security firm said.
“In many cases, we were not able to determine how actors obtained administrator-level access to the appliances. However, based on analysis by Ivanti, we suspect some intrusions were due to the exploitation of previously disclosed Pulse Secure vulnerabilities from 2019 and 2020 while other intrusions were due to the exploitation of CVE-2021-22893.”
FireEye has released a detailed advisory today with detections, mitigations and relevant MITRE ATT&CK techniques. (This includes sample hashes and analysis to enable defenders to quickly assess if their respective appliances have been affected. Yara rules, Snort rules, and hashes are published on Mandiant’s GitHub page.)
“We observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance,” said a FireEye team.
“This was done to accomplish the following:
- Trojanize shared objects with malicious code to log credentials and bypass authentication flows, including multifactor authentication requirements. We track these trojanized assemblies as SLOWPULSE and its variants.
- Inject webshells we currently track as RADIALPULSE and PULSECHECK into legitimate Internet-accessible Pulse Secure VPN appliance administrative web pages for the devices.
- Toggle the filesystem between Read-Only and Read-Write modes to allow for file modification on a typically Read-Only filesystem.
- Maintain persistence across VPN appliance general upgrades that are performed by the administrator.
- Unpatch modified files and delete utilities and scripts after use to evade detection.
- Clear relevant log files utilizing a utility tracked as THINBLOOD based on an actor defined regular expression.”