Hackers backed by nation-states are exploiting critical vulnerabilities in the Pulse Secure VPN to bypass two-factor authentication protections and gain stealthy access to networks belonging to a raft of organizations in the US Defense industry and elsewhere, researchers said.
At least one of the security flaws is a zero-day, meaning it was unknown to Pulse Secure developers and most of the research world when hackers began actively exploiting it, security firm Mandiant said in a blog post published Tuesday. Besides CVE-2021-22893, as the zero-day is tracked, multiple hacking groupsat least one that likely works on behalf of the Chinese governmentare also exploiting several Pulse Secure vulnerabilities fixed in 2019 and 2020.
Mandiant is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices, researchers Dan Perez, Sarah Jones, Greg Wood, and Stephen Eckels wrote. These families are related to the circumvention of authentication and backdoor access to these devices, but they are not necessarily related to each other and have been observed in separate investigations. It is likely that multiple actors are responsible for the creation and deployment of these various code families.
Used alone or in concert, the security flaws allow the hackers to bypass both single-factor and multifactor authentication protecting the VPN devices. From there, the hackers can install malware that persists across software upgrades and maintain access through webshells, which are browser-based interfaces that allow hackers to remotely control infected devices.
Multiple intrusions over the past six months have hit defense, government, and financial organizations around the world, Tuesdays post reported. Mandiant said that it has uncovered limited evidence that tied one of the hacker groups to the Chinese government. Dubbed UNC2630, this previously unknown team is one of at least two hacking groups known to be actively exploiting the vulnerabilities.
Tuesdays post said:
We observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance. This was done to accomplish the following:
- Trojanize shared objects with malicious code to log credentials and bypass authentication flows, including multifactor authentication requirements. We track these trojanized assemblies as SLOWPULSE and its variants.
- Inject webshells we currently track as RADIALPULSE and PULSECHECK into legitimate Internet-accessible Pulse Secure VPN appliance administrative web pages for the devices.
- Toggle the filesystem between Read-Only and Read-Write modes to allow for file modification on a typically Read-Only filesystem.
- Maintain persistence across VPN appliance general upgrades that are performed by the administrator.
- Unpatch modified files and delete utilities and scripts after use to evade detection.
- Clear relevant log files utilizing a utility tracked as THINBLOOD based on an actor defined regular expression.
Mandiant provided the following diagrams showing the flow of various authentication bypasses and log access:
Tuesdays blog post also referred to another previously unseen group that Mandiant is calling UNC2717. In March, the group used malware Mandiant identifies as RADIALPULSE, PULSEJUMP, and HARDPULSE against Pulse Secure systems at a European organization.
The company researchers added:
Due to a lack of context and forensic evidence at this time, Mandiant cannot associate all the code families described in this report to UNC2630 or UNC2717. We also note the possibility that one or more related groups is responsible for the development and dissemination of these different tools across loosely connected APT actors. It is likely that additional groups beyond UNC2630 and UNC2717 have adopted one or more of these tools. Despite these gaps in our understanding, we included detailed analysis, detection techniques, and mitigations for all code families in the Technical Annex.
Two years (and counting) of insecurity
Over the past two years, Pulse Secure parent company Ivanti has released patches for a series of Pulse Secure vulnerabilities that not only allowed remote attackers to gain access without a username or password but also to turn off multifactor authentication and view logs, usernames, and passwords cached by the VPN server in plain text.
During that same time span, the critical vulnerabilities have come under active attack by hackers and likely led to the successful ransomware attack on Travelex, the foreign currency exchange and travel insurance company that neglected to install the patches.
The Mandiant advisory is concerning because it suggests that organizations in highly sensitive areas still havent applied the fixes. Also concerning is the revelation of a Pulse Secure zero-day thats under wide attack.
Pulse Secure on Tuesday published an advisory instructing users how to mitigate the currently unpatched security bug. The Mandiant blog post contains a wealth of technical indicators that organizations can use to determine if their networks have been targeted by the exploits.
Any organization thats using Pulse Secure anywhere in its network should prioritize reading and following the recommendations from both Mandiant and Pulse Secure.