Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

4/20/2021
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Pulse Secure VPN Flaws Exploited to Target US Defense Sector

China-linked attackers have used vulnerabilities in the Pulse Secure VPN appliance to attack US Defense Industrial Base networks.

Nation-state attackers are exploiting high-severity vulnerabilities in the Pulse Secure VPN to breach networks within the US defense sector and organizations around the world, researchers report.

Related Content:

CISA Releases Alert on Exploitation of Pulse Connect Secure Vulnerabilities

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

IT software firm Ivanti, which acquired Pulse Secure late last year, today confirmed attackers have targeted a "limited number of customers" using Pulse Connect Secure (PCS) appliances. It has been working with Mandiant, the Cybersecurity and Infrastructure Security Agency (CISA), and others to respond to the exploits, which target three known vulnerabilities and a zero-day.

The three known flaws include CVE-2020-8243CVE-2020-8260, and CVE-2019-11510, which CISA recently warned is among several CVEs under attack by the Russian Foreign Intelligence Service (SVR) in its efforts to target US and allied networks, including national security and government systems. All of these vulnerabilities were patched in 2019 and 2020, Ivanti says.

CVE-2021-22893, a new issue discovered this month, is an authentication bypass vulnerability that could allow an unauthenticated attacker to perform arbitrary file execution on the Pulse Connect Secure gateway. Ivanti has provided mitigations for the critical flaw and developed a tool for businesses to confirm if they are affected. A software update will be available in May.

The company did not confirm which group is behind the exploits; however, a Mandiant report also released this morning provides more details on the attacks targeting Pulse Secure CVEs and points to connections between this attack activity and a group with Chinese government ties.

Researchers are currently tracking 12 malware families associated with the exploitation of Pulse Secure VPNs, write Mandiant's Dan Perez, Sarah Jones, Greg Wood, and Stephen Eckels in their report. While each of these families is related to bypassing authentication and gaining backdoor access to the VPNs, they aren't necessarily related and have been seen in separate attacks.

It's likely that multiple attack groups are exploiting these vulnerabilities; however, the focus of this research is on UNC2630 and its attacks against US Defense Industrial Base (DIB) networks.

Mandiant earlier this year had been investigating attacks against defense, government, and financial organizations around the world. Each of these attacks could be traced back to DHCP IP address ranges belonging to Pulse Secure VPNs, but in many cases researchers couldn't define how attackers gained admin access. With Ivanti's analysis, they learned some of these intrusions stemmed from the patched Pulse Secure flaws; others came from CVE-2021-22893.

UNC2630 was seen stealing credentials from various Pulse Secure login flows, which let them use legitimate account credentials to move into target environments. To remain persistent, the attackers used modified Pulse Secure binaries and scripts on the VPN.

Once they achieved persistence, attackers were able to conduct a range of activities. They Trojanized shared objects to log credentials and bypass authentication flows, including multifactor authentication requirements. They injected Web shells into legitimate Pulse Secure administrative Web pages accessible to the Internet, maintained persistence across VPN general upgrades performed by admins, and unpatched modified files and deleted utilities and scripts to evade detection, among other actions, the researchers explain in their findings.

"We are in the early stages of gathering evidence and making attribution assessments and there are a number of gaps in our understanding of UNC2630, UNC2717, and these 12 code families," they write.

UNC2630's infrastructure, tools, and behavior on the network were new to the Mandiant team, which hadn't seen them in any other campaigns. But while these factors were unique to this group, analysts found "strong similarities" to other intrusions going back to 2014 and 2015, which were conducted by Chinese espionage group APT5. They also have limited evidence indicating UNC2630 may operate on behalf of the Chinese government.

While Mandiant can't definitively link UNC2630 to APT5, it notes other researchers have tied this particular activity to other attacks that Mandiant has tracked as Chinese espionage activity. This third-party assessment is consistent with its understanding of APT5, an actor it says has shown interest in compromising networking devices and the software on which they run.

For organizations using Pulse Secure Connect, Mandiant advises assessing the impact of the Pulse Secure mitigations and applying if possible. Ivanti recommends resetting passwords and reviewing configurations to make sure no service accounts can be used to authenticate to the vulnerability.

CISA has also issued an alert warning of the exploitation of these vulnerabilities.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-41127
PUBLISHED: 2021-10-21
Rasa is an open source machine learning framework to automate text-and voice-based conversations. In affected versions a vulnerability exists in the functionality that loads a trained model `tar.gz` file which allows a malicious actor to craft a `model.tar.gz` file which can overwrite or replace bot...
CVE-2021-41169
PUBLISHED: 2021-10-21
Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade.
CVE-2021-27746
PUBLISHED: 2021-10-21
"HCL Connections Security Update for Reflected Cross-Site Scripting (XSS) Vulnerability"
CVE-2021-36869
PUBLISHED: 2021-10-21
Reflected Cross-Site Scripting (XSS) vulnerability in WordPress Ivory Search plugin (versions <= 4.6.6). Vulnerable parameter: &post.
CVE-2021-39352
PUBLISHED: 2021-10-21
The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file, in versions up to and including 1.7, due to insufficient file type validation. This makes it possible for an attacker with administrat...