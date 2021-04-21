Third-party risk management, breach notification, cybercrime

Exploited vulnerabilities include Zero-Day in Ivanti’s Pulse Connect Secure



April 20, 2021





A new zero-day vulnerability in Ivanti’s Pulse Connect Secure products is combined with newly patched flaws to attack US federal agencies.

the US Agency for Cybersecurity and Infrastructure Security, Ivanti and FireEye report that US federal agencies and other entities have been compromised by two attack groups.

“Their main goals are to maintain long-term access to networks, collect credentials and steal proprietary data,” said Charles Carmakal, senior vice president and technical director of FireEye Mandiant. “We believe that several cyber espionage groups are using these exploits and tools, and there are similarities between parts of this business and a Chinese player we call APT5.”

Attackers actively exploit these vulnerabilities to compromise U.S. government agencies, critical infrastructure and private sector organizations, according to CISA. FireEye adds that the attacks are global, hitting a variety of government and private institutions.

“The investigation shows ongoing attempts to exploit four issues: the bulk of these issues relate to three vulnerabilities that were patched in 2019 and 2020. Customers are strongly recommended to review the advisories and follow instructions, including changing all environmental passwords on impact. ”says Ivanti.

The four vulnerabilities include a zero-day which was discovered in April and which is tracked as CVE-2021-22893. The remaining defects, CVE-2019-11510, CVE-2020-8260 and CVE-2020-8243 are older and were fixed in 2019 and 2020, says Ivanti.

“The threat actor uses this access to place webshells on the Pulse Connect Secure appliance for additional access and persistence,” says CISA. “Known webshells allow a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.”

The CISA did not specify which federal agencies were affected by these attacks. Malicious activity affecting Pulse Secure began in June 2020 if not earlier, according to CISA.

Ivanti developed the Integrity check tool that organizations can use to determine if malicious activity is taking place in a system due to these vulnerabilities. Ivanti is also developing a patch to address the zero day issue.

Pulse Connect Secure allows mobile and remote workers to access corporate resources with a secure and authenticated connection, the company explains.

Day zero

If exploited, the critical zero day allows an unauthenticated remote attacker to execute arbitrary code through unspecified vectors, Ivanti says. The company and CISA recommend that all organizations using Pulse Connect Secure update to software version 9.1R.11.4 immediately.

“The new problem, discovered this month, has affected a very limited number of customers. The team worked quickly to provide mitigation measures directly to the limited number of affected customers, which corrects the risk to their system. PCS will release a software update in early May, ”Ivanti says.

Older vulnerabilities, which Ivanti fixed earlier, can allow remote code execution, arbitrary remote access to files on the Pulse Connect Secure gateway, and the ability to download a custom template to execute arbitrary code.

FireEye believes that the attackers may have used the old vulnerabilities to gain a foothold in their targets.

“In many cases, we have not been able to determine how the actors obtained administrator level access to the appliances. However, based on an analysis by Ivanti, we suspect that some intrusions were due to the exploitation of previously disclosed Pulse Secure vulnerabilities from 2019 and 2020. other intrusions were due to the exploitation of CVE- 2021-22893 ”, explains FireEye.

China Connection

The Mandiant team at FireEye reports that they are tracking 12 malware families associated with operating the Pulse Connect Secure VPN services. Two threat groups labeled UNC2630 and UNC2717 are believed to be behind the attacks.

“We suspect that UNC2630 is operating on behalf of the Chinese government and may have links to APT5,” FireEye said, adding “that we do not have sufficient evidence on UNC2717 to determine government sponsorship or affiliation. suspected to a known APT group. ”

FireEye observed the UNC2630 carrying out attacks from August 2020 through March 2021.

FireEye claims that UNC2630 acted against US industrial backbone networks where it collected connection information from Pulse Secure connection streams. These credentials allowed the attacker to use legitimate account credentials to move sideways. The attackers maintained persistence by using legitimate but modified Pulse Secure binaries and scripts on the VPN appliance, says FireEye.

FireEye cannot permanently connect UNC2360 to APT5, but claims that a third party has uncovered evidence linking this activity to historical campaigns, which Mandiant considers Chinese spy actor APT5.

FireEye claims the 12 families can all bypass authentication to gain backdoor access, inject webshells, maintain persistence and unzip modified files, and remove utilities and scripts after use to evade detection.

UNC2717 targeted European and global government entities between October 2020 and March 2021, according to FireEye.