Mandiant is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices. These families are related to the circumvention of authentication and backdoor access to these devices, but they are not necessarily related to each other and have been observed in separate investigations. It is likely that multiple actors are responsible for the creation and deployment of these various code families, Mandiant says.
An attacker could exploit these vulnerabilities to gain persistent system access and take control of the enterprise network operating the vulnerable PCS device. These vulnerabilities are being exploited in the wild.
As a result, Mandiant has released a blog post examining multiple, related techniques for bypassing single and multifactor authentication on Pulse Secure VPN devices, persisting across upgrades, and maintaining access through webshells. The focus of the report is on the activities of UNC2630 against U.S. Defense Industrial base (DIB) networks, but detailed malware analysis and detection methods for all samples observed at U.S. and European victim organizations are provided in the technical annex to assist network defenders in identifying a large range of malicious activity on affected appliances. Analysis is ongoing to determine the extent of the activity.
Mandiant is collaborating with the Ivanti and Pulse Secure teams, Microsoft Threat Intelligence Center (MSTIC), and relevant government and law enforcement agencies to investigate the threat, as well as develop recommendations and mitigations for affected Pulse Secure VPN appliance owners.
As part of their investigation, Ivanti has released mitigations for a vulnerability exploited in relation to this campaign as well as the Pulse Connect Secure Integrity Tool to assist with determining if systems have been impacted.
The Cybersecurity and Infrastructure Security Agency (CISA) has also issued an emergency directive on Pulse Connect Secure, directing federal departments and agencies to run the the Pulse Connect Secure Integrity Tool on all instances of PCS virtual and hardware appliances to determine whether any PCS files have been maliciously modified or added. CISA is also urging state and local governments, the private sector and other to review ED 21-03: Mitigate Pulse Connect Secure Product Vulnerabilities for additional mitigation recommendations.
Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), says, “A few days ago, CISA and FBI issued an advisory which included a Pulse Secure vulnerability used by Russian APT29. The FireEye research, stating that a Chinese group tagged as UNC2630 is using the same kind of vulnerabilities in their campaign, proves again that vulnerability risk management needs to keep in mind that a combination of vulnerabilities should be more concerning than any single critical vulnerability. Any approach that considers ‘patch only the most severe’ will miss the fact that an attack takes turns. It is like a pathfinder through the vulnerability landscape in an infrastructure as seen during the attacker’s reconnaissance phase (or assumed as ‘just there’). Overall, both the FireEye report, and the advisory, underline the need for a layered defense, that encompasses prevention (like Vulnerability and Patch Management) as well as detection (like Change Control) to achieve cyber resilience.”
“Almost without fail, the common thread with any advanced persistent threat is the exploitation of known vulnerabilities both new and old," says Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber. "Malicious activity, whether using a supply chain vector or a VPN authentication bypass, is thwarted by good cyber hygiene practices and serious blue teaming. Vulnerability management, or more importantly vulnerability remediation, is a cyber security dirty job that is under resourced and underappreciated and businesses are paying the price."
Heather Paunet, Senior Vice President at Untangle, explains these security incidents point out the need for ensuring you are using the latest technologies with state-of-the-art cryptography, such as Wireguard. Paunet adds, "With more people working from home and using VPN technology than ever, ensuring online privacy and security is paramount. Yet, many businesses continue to use older technologies, despite the increase in not only the number of threats, but the sophistication of threats. Other considerations for VPN use include keeping up to date with patches and latest configuration and ensuring employees use VPN according to protocol.”
"The old adage of defense in depth is still pertinent," says Vishal Jain, Co-Founder and CTO at Valtix. "Network security, tied to automatic rule updates for the latest vulnerabilities to guard against ingress infiltration by the way of virtual patching, prevention of lateral movement with east-west controls and data exfiltration with egress controls, will certainly help."