Nation-State Actor Linked to Pulse Secure AttacksVulnerabilities Exploited Include a Zero-Day in Ivanti's Pulse Connect Secure
Two attack groups are using exploits of a new zero-day vulnerability in Ivanti's Pulse Connect Secure VPN products and recently patched flaws to attack U.S. federal agencies.
The U.S. Cybersecurity and Infrastructure Security Agency, Ivanti and FireEye report that U.S. federal agencies and other entities have been compromised.
"Their primary goals are maintaining long-term access to networks, collecting credentials and stealing proprietary data," Charles Carmakal, senior vice president and CTO at FireEye Mandiant, says of the attackers. "We believe that multiple cyberespionage groups are using these exploits and tools, and there are some similarities between portions of this activity and a Chinese actor we call APT5."
The attackers have been exploiting these vulnerabilities to compromise U.S. government agencies, critical infrastructure and private sector organizations, CISA says. FireEye adds the attacks are global, hitting a variety of government and private institutions.
"The investigation shows ongoing attempts to exploit four issues: The substantial bulk of these issues involve three vulnerabilities that were patched in 2019 and 2020. Customers are strongly recommended to review the advisories and follow the guidance, including changing all passwords in the environment if impacted," Ivanti says.
The four Pulse Connect Secure vulnerabilities include a zero-day that was discovered in April and is tracked as CVE-2021-22893. The remaining flaws, CVE-2019-11510, CVE-2020-8260 and CVE-2020-8243 are older and were patched in 2019 and 2020, Ivanti says.
"The threat actor is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence," CISA says. "The known webshells allow for a variety of functions, including authentication bypass, multifactor authentication bypass, password logging and persistence through patching."
CISA did not say which federal agencies are affected by these attacks. The malicious activity affecting Pulse Connect Secure started in June 2020 or earlier, the agency says.
Ivanti has developed the Integrity Checker Tool that organizations can use to help determine if malicious activity is taking place in a system due to these vulnerabilities. Ivanti is also developing a patch to fix the zero-day issue.
Pulse Connect Secure allows mobile and remote workers to access corporate resources with a secure and authenticated connection, the company says.
The Zero-Day Flaw
The critical-rated zero-day flaw, if exploited, allows an unauthenticated, remote attacker to execute arbitrary code via unspecified vectors, Ivanti says. The company and CISA recommend all organizations using Pulse Connect Secure immediately update to software version 9.1R.11.4
"The new issue, discovered this month, impacted a very limited number of customers. The team worked quickly to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system. PCS will issue a software update in early May," Ivanti says.
The older vulnerabilities, which Ivanti previously patched, can allow remote code execution and remote arbitrary file access on the Pulse Connect Secure gateway and enable the uploading of a custom template to perform arbitrary code execution.
FireEye believes the attackers may have used the older vulnerabilities to gain an initial foothold within their targets.
"In many cases, we were not able to determine how actors obtained administrator-level access to the appliances. However, based on analysis by Ivanti, we suspect some intrusions were due to the exploitation of previously disclosed Pulse Secure vulnerabilities from 2019 and 2020 while other intrusions were due to the exploitation of CVE-2021-22893," FireEye says.
FireEye's Mandiant team reports it's tracking 12 malware families associated with the exploitation of Pulse Connect Secure VPN services. Two threat groups labeled UNC2630 and UNC2717 are believed to be behind the attacks.
"We suspect UNC2630 operates on behalf of the Chinese government and may have ties to APT5," FireEye says. "We do not have enough evidence about UNC2717 to determine government sponsorship or suspected affiliation with any known APT group."
FireEye observed UNC2630 conducting attacks as early as August 2020, continuing until March 2021.
FireEye says UNC2630 has been acting against U.S. industrial base networks where it harvested login credentials from Pulse Connect Secure login flows. These credentials allowed the attacker to use legitimate account credentials to move laterally. The attackers maintained persistence by utilizing legitimate but modified Pulse Secure binaries and scripts on the VPN appliance, FireEye says.
FireEye cannot definitively connect UNC2360 to APT5 but says a third party has uncovered evidence connecting this activity to historic campaigns by the group.
FireEye says the 12 malware families all can circumvent authentication to gain backdoor access, inject web shells, maintain persistence, unpatch modified files and delete utilities and scripts after use to evade detection.
UNC2717 targeted European and other global government entities between October 2020 and March 2021, FireEye says.