A critical zero-day security vulnerability in Pulse Secure VPN devices has been exploited by nation-state actors to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe, researchers said.
The flaw, tracked as CVE-2021-22893, allows remote code-execution (RCE) and is being used in the wild to gain administrator-level access to the appliances, according to Ivanti research. Pulse Secure said that the zero-day will be patched in early May; but in the meantime, the company worked with Ivanti (its parent company) to release both mitigations and the Pulse Connect Secure Integrity Tool, to help determine if systems have been impacted.
“The investigation shows ongoing attempts to exploit four issues: The substantial bulk of these issues involve three vulnerabilities that were patched in 2019 and 2020: Security Advisory SA44101 (CVE-2019-11510), Security Advisory SA44588 (CVE-2020-8243) and Security Advisory SA44601 (CVE-2020-8260),” according to a Pulse Secure statement provided to Threatpost. “The new issue, discovered this month, impacted a very limited number of customers.”
CVE-2021-22893: A Zero-Day in Pulse Connect Secure VPNs
The newly discovered critical security hole is rated 10 out of 10 on the CVSS vulnerability-rating scale. It’s an authentication bypass vulnerability that can allow an unauthenticated user to perform RCE on the Pulse Connect Secure gateway. It “poses a significant risk to your deployment,” according to the advisory, issued Tuesday.
“The ongoing COVID-19 crisis resulted in an overnight shift to remote work culture, and VPNs played a critical role to make this possible,” Bharat Jogi, senior manager of vulnerability and threat research at Qualys, said via email. “VPNs have become a prime target for cybercriminals and over the past few months.”
“The Pulse Connect Secure vulnerability with CVE-2021-22893…can be exploited without any user interaction,” he added.
The mitigations involve importing a file called “Workaround-2104.xml,” available on the advisory page. It disables the Windows File Share Browser and Pulse Secure Collaboration features on the appliance.
User can also use the blacklisting feature to disable URL-based attacks, the firm noted, by blocking the following URIs:
- ^/+dana/+meeting
- ^/+dana/+fb/+smb
- ^/+dana-cached/+fb/+smb
- ^/+dana-ws/+namedusers
- ^/+dana-ws/+metric
“The Pulse Connect Secure (PCS) team is in contact with a limited number of customers who have experienced evidence of exploit behavior on their PCS appliances,” according to Pulse Secure. “The PCS team has provided remediation guidance to these customers directly.”
According to tandem research from Mandiant, this and the other bugs are at the center of a flurry of activity by different threat actors, involving 12 different malware families overall. The malware is used for authentication-bypass and establishing backdoor access to the VPN devices, and for lateral movement. Two specific advanced persistent threat (APT) groups, UNC2630 and UNC2717, are particularly involved, researchers said.
UNC2630 Cyber-Activity: Links to China
“We observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments,” according to Mandiant, in a Tuesday posting. “In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance.”
The firm tracks those tools as the following:
- SlowPulse: Trojanized shared objects with malicious code to log credentials and bypass authentication flows within the legitimate Pulse Secure shared object libdsplibs.so, including multifactor authentication requirements.
- RadialPulse and PulseCheck: Web shells injected into legitimate, internet-accessible Pulse Secure VPN appliance administrative web pages.
- ThinBlood: A utility used to clear relevant log files.
- Other capabilities: Toggling the filesystem between Read-Only and Read-Write modes to allow for file modification on a typically Read-Only filesystem; the ability to maintain persistence across VPN appliance general upgrades that are performed by the administrator; and the ability to unpatch modified files and delete utilities and scripts after use to evade detection.
UNC2630 targeted U.S. defense-sector companies as early as last August, Mandiant noted. It added that the activity could be state-sponsored, likely backed by China.
“We suspect UNC2630 operates on behalf of the Chinese government and may have ties to APT5,” according to the analysis. “UNC2630’s combination of infrastructure, tools, and on-network behavior appear to be unique, and we have not observed them during any other campaigns or at any other engagement. Despite these new tools and infrastructure, Mandiant analysts noted strong similarities to historic intrusions dating back to 2014 and 2015 and conducted by Chinese espionage actor APT5.”
APT5 consistently targets defense and technology companies in the Asia, Europe and the U.S., Mandiant noted.
“[It] has shown significant interest in compromising networking devices and manipulating the underlying software which supports these appliances,” Mandiant researchers said. “APT5 persistently targets high value corporate networks and often re-compromises networks over many years. Their primary targets appear to be aerospace and defense companies located in the U.S., Europe, and Asia. Secondary targets (used to facilitate access to their primary targets) include network appliance manufacturers and software companies usually located in the U.S.”
The UNC2717 APT Connection
As for UNC2717, Mandiant linked Pulse Secure zero-day activity back to the APT in a separate incident in March, targeted against an unnamed European organization. UNC2717 was also seen targeting global government agencies between October and March.
So far, there’s not enough evidence about UNC2717 to determine government sponsorship or suspected affiliation with any known APT group, Mandiant said.
The tools used by this group include HardPulse, which is a web shell; PulseJump, used for credential-harvesting; and RadialPulse. The firm also observed a new malware that it calls LockPick, which is a trojanized OpenSSL library file that appears to weaken encryption for communications used by the VPN appliances.
All of the malware families in use in the campaigns appear to be loosely related, according to Mandiant.
“Although we did not observe PulseJump or HardPulse used by UNC2630 against U.S. [defense] companies, these malware families have shared characteristics and serve similar purposes to other code families used by UNC2630,” researchers said.
They added, “Mandiant cannot associate all the code families described in this report to UNC2630 or UNC2717. We also note the possibility that one or more related groups is responsible for the development and dissemination of these different tools across loosely connected APT actors.”
Pulse Secure: A Favorite Target for APTs
Pulse Secure VPNs continue to be a hot target for nation-state actors. Last week, the FBI warned that a known arbitrary file-read Pulse Secure bug (CVE-2019-11510) was part of five vulnerabilities under attack by the Russia-linked group known as APT29 (a.k.a. Cozy Bear or The Dukes). APT29 is conducting “widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access,” according to the Feds.
Meanwhile, earlier in April, the Department of Homeland Security (DHS) urged companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, because in many cases, attackers have already exploited CVE-2019-11510 to hoover up victims’ credentials – and now are using those credentials to move laterally through organizations, DHS warned.
And last fall, the Cybersecurity and Infrastructure Security Agency (CISA) said that a federal agency had suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network. Once again, CVE-2019-11510 was in play, used to gain access to employees’ legitimate Microsoft Office 365 log-in credentials and sign into an agency computer remotely.
“Almost without fail, the common thread with any APT is the exploitation of known vulnerabilities both new and old,” Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, said via email. “Malicious activity, whether using a supply-chain vector or a VPN authentication bypass, is thwarted by good cyber-hygiene practices and serious blue teaming. Vulnerability management, or more importantly vulnerability remediation, is a cybersecurity dirty job that is under-resourced and underappreciated and businesses are paying the price.”
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!