An attack group potentially acting in the interests of the Chinese government has exploited vulnerabilities--including a zero day--in the widely deployed Pulse Connect Secure VPN appliance to compromise government agencies in the United States and Europe, as well as several dozen other organizations to gather credentials, steal sensitive data, and place webshells on targeted appliances to maintain persistence.
Although researchers have not been able to pinpoint exactly when the attacks began, they have been ongoing for more than a year and could go back several years. Researchers at FireEye Mandiant uncovered the activity targeting Pulse Secure appliances while responding to customer incidents in recent months, and found that a group it now tracks as UNC2630, and possibly several other threat actors, have been exploiting several previously known flaws and one newly discovered vulnerability in the appliances. The new vulnerability (CVE-2021-22893) is a critical remote code execution flaw discovered earlier this month. Pulse Secure has released mitigations for the flaw but won’t have a patch ready until early May.
The attackers are using as many as 12 separate malware families in the intrusions, some of which enable them to bypass two-factor authentication and insert backdoors on the device. Mandiant said that the attackers have targeted government agencies, defense industrial base companies, and other organizations with these tools, though it said the tools likely were not created by one actor.
“Early this year, Mandiant investigated multiple intrusions at defense, government, and financial organizations around the world. In each intrusion, the earliest evidence of attacker activity traced back to DHCP IP address ranges belonging to Pulse Secure VPN appliances in the affected environment,” FireEye researchers wrote in an analysis of the intrusions.
“We observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance.”
“We have historical data based on targeting and retargeting of affected organizations that generally line up with collection requirements for the Chinese government."
Pulse Connect Secure is an SSL VPN appliance that’s used in many enterprises and government agencies as a secure remote access tool. VPNs are high-value targets for attackers, especially state-sponsored groups who know that compromising a VPN appliance inside a target organization can provide systemic long-term access to the network. Some of the new intrusions that FireEye Mandiant responded to involved exploitation of an older set of Pulse Secure flaws for which the company released fixes two years ago, while others involved targeting of the new zero day. Regardless of the attack vector, the threat actors have shown the ability to stay resident on the compromised Pulse Connect Secure for quite some time by utilizing the assorted malware at their disposal.
“These tools are persistent across upgrades and factory resets, meaning that the actors may have had access to victim networks for several years. We have logs showing attacker access going back to July 2020 and have early indications that these tools were present on victim networks dating back to mid 2019,” said Sarah Jones, senior principal analyst, Mandiant Threat Intelligence.
One of the malware tools that UNC2630 deploys in the attacks is called Slowpulse by FireEye, and there are several different variants of it. Variant 1 allows the attacker to circumvent certain 2FA implementations through the use of a backdoor password.
“This variant is responsible for bypassing LDAP and RADIUS-2FA authentication routines if a secret backdoor password is provided by the attacker. The sample inspects login credentials used at the start of each protocol’s associated routine and strategically forces execution down the successful authentication patch if the provided password matches the attacker's chosen backdoor password,” FireEye said in its analysis.
Another Slowpulse variant modifies the 2FA authentication routine in order to spoof a successful two-factor authentication.
UNC2630 is a newly identified group that FireEye said is using unique infrastructure, tools and behaviors that the company has not seen in any other campaigns. The group may have ties to APT5, a Chinese attack group, but FireEye researchers could not definitively make that connection. However, the general attribution to China is stronger.
“We have historical data based on targeting and retargeting of affected organizations that generally line up with collection requirements for the Chinese government as well as mentioned in the blog we have also worked with several third party organizations that also are tracking the UNC2630 within the APT5 bucket. Several TTPs that have also been observed historically bear similar resemblance in techniques observed in the recent activity,” said Dan Perez, manager of advanced practices at Mandiant.
As a result of the attacks against Pulse Secure Connect, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on Tuesday ordering all civilian federal agencies to find every existing instance of Pulse Secure Connect in their environments and run the Pulse Secure Connect INtegrity Tool on each one to identify mismatched file hashes.
“CISA has determined that this exploitation of Pulse Connect Secure products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,” the directive says.