Nation-state attackers are exploiting high-severity vulnerabilities in the Pulse Secure VPN to breach networks within the US defense sector and organizations around the world, researchers report.

IT software firm Ivanti, which acquired Pulse Secure late last year, today confirmed attackers have targeted a "limited number of customers" using Pulse Connect Secure (PCS) appliances. It has been working with Mandiant, the Cybersecurity and Infrastructure Security Agency (CISA), and others to respond to the exploits, which target three known vulnerabilities and a zero-day.

The three known flaws include CVE-2020-8243, CVE-2020-8260, and CVE-2019-11510, which CISA recently warned is among several CVEs under attack by the Russian Foreign Intelligence Service (SVR) in its efforts to target US and allied networks, including national security and government systems. All of these vulnerabilities were patched in 2019 and 2020, Ivanti says.

CVE-2021-22893, a new issue discovered this month, is an authentication bypass vulnerability that could allow an unauthenticated attacker to perform arbitrary file execution on the Pulse Connect Secure gateway. Ivanti has provided mitigations for the critical flaw and developed a tool for businesses to confirm if they are affected. A software update will be available in May.

The company did not confirm which group is behind the exploits; however, a Mandiant report also released this morning provides more details on the attacks targeting Pulse Secure CVEs and points to connections between this attack activity and a group with Chinese government ties.

Researchers are currently tracking 12 malware families associated with the exploitation of Pulse Secure VPNs, write Mandiant's Dan Perez, Sarah Jones, Greg Wood, and Stephen Eckels in their report. While each of these families is related to bypassing authentication and gaining backdoor access to the VPNs, they aren't necessarily related and have been seen in separate attacks.

It's likely that multiple attack groups are exploiting these vulnerabilities; however, the focus of this research is on UNC2630 and its attacks against US Defense Industrial Base (DIB) networks.

Mandiant earlier this year had been investigating attacks against defense, government, and financial organizations around the world. Each of these attacks could be traced back to DHCP IP address ranges belonging to Pulse Secure VPNs, but in many cases researchers couldn't define how attackers gained admin access. With Ivanti's analysis, they learned some of these intrusions stemmed from the patched Pulse Secure flaws; others came from CVE-2021-22893.

UNC2630 was seen stealing credentials from various Pulse Secure login flows, which let them use legitimate account credentials to move into target environments. To remain persistent, the attackers used modified Pulse Secure binaries and scripts on the VPN.

Once they achieved persistence, attackers were able to conduct a range of activities. They Trojanized shared objects to log credentials and bypass authentication flows, including multifactor authentication requirements. They injected Web shells into legitimate Pulse Secure administrative Web pages accessible to the Internet, maintained persistence across VPN general upgrades performed by admins, and unpatched modified files and deleted utilities and scripts to evade detection, among other actions, the researchers explain in their findings.

"We are in the early stages of gathering evidence and making attribution assessments and there are a number of gaps in our understanding of UNC2630, UNC2717, and these 12 code families," they write.

UNC2630's infrastructure, tools, and behavior on the network were new to the Mandiant team, which hadn't seen them in any other campaigns. But while these factors were unique to this group, analysts found "strong similarities" to other intrusions going back to 2014 and 2015, which were conducted by Chinese espionage group APT5. They also have limited evidence indicating UNC2630 may operate on behalf of the Chinese government.

While Mandiant can't definitively link UNC2630 to APT5, it notes other researchers have tied this particular activity to other attacks that Mandiant has tracked as Chinese espionage activity. This third-party assessment is consistent with its understanding of APT5, an actor it says has shown interest in compromising networking devices and the software on which they run.

For organizations using Pulse Secure Connect, Mandiant advises assessing the impact of the Pulse Secure mitigations and applying if possible. Ivanti recommends resetting passwords and reviewing configurations to make sure no service accounts can be used to authenticate to the vulnerability.

CISA has also issued an alert warning of the exploitation of these vulnerabilities.