Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

End of Bibblio RCM includes -->
4/20/2021
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail

Pulse Secure VPN Flaws Exploited to Target US Defense Sector

China-linked attackers have used vulnerabilities in the Pulse Secure VPN appliance to attack US Defense Industrial Base networks.

Nation-state attackers are exploiting high-severity vulnerabilities in the Pulse Secure VPN to breach networks within the US defense sector and organizations around the world, researchers report.

Related Content:

CISA Releases Alert on Exploitation of Pulse Connect Secure Vulnerabilities

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

IT software firm Ivanti, which acquired Pulse Secure late last year, today confirmed attackers have targeted a "limited number of customers" using Pulse Connect Secure (PCS) appliances. It has been working with Mandiant, the Cybersecurity and Infrastructure Security Agency (CISA), and others to respond to the exploits, which target three known vulnerabilities and a zero-day.

The three known flaws include CVE-2020-8243CVE-2020-8260, and CVE-2019-11510, which CISA recently warned is among several CVEs under attack by the Russian Foreign Intelligence Service (SVR) in its efforts to target US and allied networks, including national security and government systems. All of these vulnerabilities were patched in 2019 and 2020, Ivanti says.

CVE-2021-22893, a new issue discovered this month, is an authentication bypass vulnerability that could allow an unauthenticated attacker to perform arbitrary file execution on the Pulse Connect Secure gateway. Ivanti has provided mitigations for the critical flaw and developed a tool for businesses to confirm if they are affected. A software update will be available in May.

The company did not confirm which group is behind the exploits; however, a Mandiant report also released this morning provides more details on the attacks targeting Pulse Secure CVEs and points to connections between this attack activity and a group with Chinese government ties.

Researchers are currently tracking 12 malware families associated with the exploitation of Pulse Secure VPNs, write Mandiant's Dan Perez, Sarah Jones, Greg Wood, and Stephen Eckels in their report. While each of these families is related to bypassing authentication and gaining backdoor access to the VPNs, they aren't necessarily related and have been seen in separate attacks.

It's likely that multiple attack groups are exploiting these vulnerabilities; however, the focus of this research is on UNC2630 and its attacks against US Defense Industrial Base (DIB) networks.

Mandiant earlier this year had been investigating attacks against defense, government, and financial organizations around the world. Each of these attacks could be traced back to DHCP IP address ranges belonging to Pulse Secure VPNs, but in many cases researchers couldn't define how attackers gained admin access. With Ivanti's analysis, they learned some of these intrusions stemmed from the patched Pulse Secure flaws; others came from CVE-2021-22893.

UNC2630 was seen stealing credentials from various Pulse Secure login flows, which let them use legitimate account credentials to move into target environments. To remain persistent, the attackers used modified Pulse Secure binaries and scripts on the VPN.

Once they achieved persistence, attackers were able to conduct a range of activities. They Trojanized shared objects to log credentials and bypass authentication flows, including multifactor authentication requirements. They injected Web shells into legitimate Pulse Secure administrative Web pages accessible to the Internet, maintained persistence across VPN general upgrades performed by admins, and unpatched modified files and deleted utilities and scripts to evade detection, among other actions, the researchers explain in their findings.

"We are in the early stages of gathering evidence and making attribution assessments and there are a number of gaps in our understanding of UNC2630, UNC2717, and these 12 code families," they write.

UNC2630's infrastructure, tools, and behavior on the network were new to the Mandiant team, which hadn't seen them in any other campaigns. But while these factors were unique to this group, analysts found "strong similarities" to other intrusions going back to 2014 and 2015, which were conducted by Chinese espionage group APT5. They also have limited evidence indicating UNC2630 may operate on behalf of the Chinese government.

While Mandiant can't definitively link UNC2630 to APT5, it notes other researchers have tied this particular activity to other attacks that Mandiant has tracked as Chinese espionage activity. This third-party assessment is consistent with its understanding of APT5, an actor it says has shown interest in compromising networking devices and the software on which they run.

For organizations using Pulse Secure Connect, Mandiant advises assessing the impact of the Pulse Secure mitigations and applying if possible. Ivanti recommends resetting passwords and reviewing configurations to make sure no service accounts can be used to authenticate to the vulnerability.

CISA has also issued an alert warning of the exploitation of these vulnerabilities.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
//Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Developing and Testing an Effective Breach Response Plan
Whether or not a data breach is a disaster for the organization depends on the security team's response and that is based on how the team developed a breach response plan beforehand and if it was thoroughly tested. Inside this report, experts share how to: -understand the technical environment, -determine what types of incidents would trigger the plan, -know which stakeholders need to be notified and how to do so, -develop steps to contain the breach, collect evidence, and initiate recovery.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-41807
PUBLISHED: 2022-12-05
Missing authorization vulnerability exists in Kyocera Document Solutions MFPs and printers, which may allow a network-adjacent attacker to alter the product settings without authentication by sending a specially crafted request. Affected products/versions are as follows: TASKalfa 7550ci/6550ci, TASK...
CVE-2022-41830
PUBLISHED: 2022-12-05
Stored cross-site scripting vulnerability in Kyocera Document Solutions MFPs and printers allows a remote authenticated attacker with an administrative privilege to inject arbitrary script. Affected products/versions are as follows: TASKalfa 7550ci/6550ci, TASKalfa 5550ci/4550ci/3550ci/3050ci, TASKa...
CVE-2022-42496
PUBLISHED: 2022-12-05
OS command injection vulnerability in Nako3edit, editor component of nadesiko3 (PC Version) v3.3.74 and earlier allows a remote attacker to obtain appkey of the product and execute an arbitrary OS command on the product.
CVE-2022-43442
PUBLISHED: 2022-12-05
Plaintext storage of a password vulnerability exists in +F FS040U software versions v2.3.4 and earlier, which may allow an attacker to obtain the login password of +F FS040U and log in to the management console.
CVE-2022-43470
PUBLISHED: 2022-12-05
Cross-site request forgery (CSRF) vulnerability in +F FS040U software versions v2.3.4 and earlier, +F FS020W software versions v4.0.0 and earlier, +F FS030W software versions v3.3.5 and earlier, and +F FS040W software versions v1.4.1 and earlier allows an adjacent attacker to hijack the authenticati...