According to FireEye report, hackers with suspected links to China have been actively exploiting vulnerabilities in Pulse Secure VPN since June 2020. The impacted organisations include financial institutions, defence, and government agencies in the US and across the globe.
Mandiant recently responded to multiple security incidents involving the exploitation of Pulse Secure VPN appliances. The report examines a new zero-day vulnerability, multiple techniques for bypassing single and multifactor authentication, and malware that persists across upgrades and factory resets on Pulse Secure devices. These techniques are being used by at least two groups, including UNC2630, a group with suspected ties to APT5. Mandiant has identified 12 families of malware specific to Pulse Secure appliances used in this campaign.
US Department of Homeland security, The Cybersecurity and Infrastructure Security Agency, CISA, said that its aware of the intrusions and released a public advisory urging organisations to immediately run the Pulse Secure Connect Integrity Tool, update to the latest software version. CISA has also issued an Emergency Directive to Federal Civilian Executive Branch agencies.
Ivanti, Pulse Secure’s parent company said that a final patch to fix the vulnerability will be available in May 2021.
Below are some of the comments from cybersecurity experts:
Charles Carmakal, SVP and CTO, Mandiant
In recent months, Mandiant has responded to multiple intrusions involving the exploitation of the Pulse Secure VPN solution. Through the course of our investigations, we learned that a zero-day and other known vulnerabilities in the VPN solution were exploited to facilitate intrusions across dozens of organisations including government agencies, financial entities, and defence companies in the US and abroad. We suspect these intrusions align with data and intelligence collection objectives by China.
These actors are highly skilled and have deep technical knowledge of the Pulse Secure product. They developed malware that enabled them to harvest Active Directory credentials and bypass multifactor authentication on Pulse Secure devices to access victim networks. They modified scripts on the Pulse Secure system which enabled the malware to survive software updates and factory resets. This tradecraft enabled the actors to maintain access to victim environments for several months without being detected.
Their primary goals are maintaining long-term access to networks, collecting credentials, and stealing proprietary data. We believe that multiple cyber espionage groups are using these exploits and tools, and there are some similarities between portions of this activity and a Chinese actor we call APT5.
The exploitation of this product should not be confused with a supply chain intrusion. These actors were using known vulnerabilities as well as the previously unknown vulnerability CVE-2021-22893. We have no evidence that this is a supply chain compromise of Ivanti’s network or software.
Ammar Enaya, Regional Director – METNA, Vectra AI
These events underscore the mindset that security leaders need to both internalise and evangelise, the breach must be assumed, trust must be explicitly built not implicitly granted, and a preventative control is only as strong as its weakest link relative to an adversary’s resources. Multifactor Authentication is the floor, not the ceiling, necessary for modern remote access, and network defenders must understand that adversaries are motivated to exploit organisations that confuse that principle.
On the bright side, the fact that these campaigns are getting the awareness that they deserve throughout industry indicates that some of the above messaging is breaking through. When network defenders understand that full prevention is a fool’s errand, and success is measured in their resilience by detecting, responding, and recovering from attacks before material damage is done, we will start seeing the maturity necessary for organisations at risk of failing preventative controls, to more consistently shrug off their failure and turn the tables on the threat actors.
This is a developing story, go ahead and bookmark this link for latest updates.