Nation-state-backed hackers exploit critical vulnerabilities in the Pulse Secure VPN to bypass two-factor authentication protections and stealthily access networks belonging to many organizations in the U.S. defense industry and elsewhere, researchers said.
At least one of the security flaws is a zero-day, meaning it was unknown to Pulse Secure developers and most of the research community when hackers began actively exploiting it, security firm Mandiant said in a blog post published Tuesday. In addition to CVE-2021-22893, while tracking zero-day, multiple hacking groups — at least one likely working on behalf of the Chinese government — are also exploiting several Pulse Secure vulnerabilities that were patched in 2019 and 2020.
Under siege
“Mandiant is currently tracking 12 families of malware associated with the exploitation of Pulse Secure VPN devices,” wrote researchers Dan Perez, Sarah Jones, Greg Wood and Stephen Eckels. “These families are associated with bypassing authentication and backdoor access to these devices, but they are not necessarily related and have been observed in separate studies. It is likely that multiple actors are responsible for creating and deploying these different code families.”
Used alone or together, the security flaws allow the hackers to bypass both single-factor and multi-factor authentication that protects the VPN devices. From there, the hackers can install malware that persists during software upgrades and maintain access through web shells, browser-based interfaces that allow hackers to control infected devices remotely.
Multiple burglaries in the past six months have affected defense, government and financial organizations around the world, Tuesday’s report said. Separately, the US Cybersecurity and Infrastructure Security Agency said the targets also include US government agencies, critical infrastructure entities and other private sector organizations.
Mandiant said it has found “limited evidence” linking one of the hacker groups to the Chinese government. This previously unknown team, dubbed UNC2630, is one of at least two hacking groups known to actively exploit the vulnerabilities. Tuesday’s message read:
We saw that UNC2630 was collecting credentials from several Pulse Secure VPN login streams, eventually allowing the actor to use legitimate account credentials to access the affected environments laterally. To preserve the compromised networks, the actor used legitimate, but modified Pulse Secure binaries and scripts on the VPN device. This is done to achieve the following:
- Trojan shared objects with malicious code to capture credentials and bypass authentication flows, including multifactor authentication requirements. We track these trojan assemblies as SLOWPULSE and its variants.
- Inject web shells we currently track like RADIALPULSE and PULSECCHECK into legitimate web-accessible Pulse Secure VPN device management web pages for the devices.
- Switch the file system between Read-Only and Read-Write mode to allow file changes on a typical Read-Only file system.
- Maintain persistence on general VPN device upgrades performed by the administrator.
- Unpatch changed files and remove utilities and scripts after use to evade detection.
- Clear relevant log files using a utility tracked as THINBLOOD based on an actor-defined regular expression.
Mandiant provided the following diagrams showing the flow of various authentication bypasses and log access:
-
LDAP Auth Bypass.
-
Radius 2FA bypass.
Mandiant
-
ACE reference log.
Mandiant
-
ACE authentication bypass variant.
Mandiant
-
Reamsignin 2FA bypass.
Mandiant
Tuesday’s blog post also referenced another previously unseen group that Mandiant calls UNC2717. In March, the group used malware that Mandiant identifies as RADIALPULSE, PULSEJUMP and HARDPULSE against Pulse Secure systems at a European organization.
The company’s researchers added:
Due to a lack of context and forensic evidence at this time, Mandiant cannot associate all of the code families described in this report with UNC2630 or UNC2717. We also note the possibility that one or more related groups are responsible for the development and dissemination of these different tools across loosely connected APT actors. It is likely that groups other than UNC2630 and UNC2717 have used one or more of these tools. Despite these gaps in our understanding, we have included detailed analyses, detection techniques and solutions for all code families in the technical appendix.
Two years (and still) uncertainty
Over the past two years, Pulse Secure parent company Ivanti has released patches for a series of Pulse Secure vulnerabilities that have allowed attackers to gain remote access without a username or password, as well as disable multi-factor authentication and view cached logs, usernames, and passwords. by the VPN server in plain text.
During that same period, the critical vulnerabilities were actively attacked by hackers and likely led to the successful ransomware attack on Travelex, the currency exchange and travel insurance company, which failed to install the patches.
Mandiant’s advice is alarming because it suggests that organizations in highly sensitive areas have still not adopted the solutions. Also worrisome is the revelation of a Pulse Secure zero-day that is being widely attacked.
Pulse Secure released an advisory on Tuesday instructing users on how to fix the currently unpatched security bug. The Mandiant blog post contains a wealth of technical indicators that organizations can use to determine if their networks are being targeted by the exploits.
Any organization using Pulse Secure anywhere in its network should prioritize reading and following the recommendations of both Mandiant and Pulse Secure.