Ivanti, FireEye, the U.S. Cybersecurity and Infrastructure Agency and other security experts are sounding the alarm about vulnerabilities in Ivanti Pulse Connect Secure products that have been exploited since at least June 2020 and a dozen malware families associated with the exploits.
According to Ivanti, which offers the Pulse Connect Secure VPN appliances, the company recently discovered that a limited number of customers have experienced evidence of compromise on their Pulse Connect Secure appliances, and the company is working with forensic experts including Mandiant/FireEye, CISA, Stoz Friedberg and others to investigate.
The team noted four issues, including three vulnerabilities that were patched in 2019 and 2020.
However, there is a new issue discovered just this month that has impacted “a very limited number of customers,” the Pulse Connect Secure team said. That vulnerability is tracked as CVE-2021-2289 and is an authentication bypass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway.
CISA’s alert to the private sector came as the agency directed federal civilian agencies using the affected products to run the Pulse Secure Integrity Tool and take other actions. The Pulse Secure team developed the tool to help customers determine if they’re impacted by these issues.
According to FireEye’s blog on the issue, a Chinese-backed hacking team is believed to be behind these exploits that are targeting U.S. defense companies. The actors are suspected to have obtained administrator-level access to the appliances through previously disclosed Pulse Secure vulnerabilities, and other intrusions were due to the new vulnerability.
The company says it observed the threat actor, called UNC2630, harvesting credentials from various Pulse Secure VPN login flows and used those legitimate credentials to move around in the victim environments.
Here’s more from FireEye:
We observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance. This was done to accomplish the following:
- Trojanize shared objects with malicious code to log credentials and bypass authentication flows, including multifactor authentication requirements. We track these trojanized assemblies as SLOWPULSE and its variants.
- Inject webshells we currently track as RADIALPULSE and PULSECHECK into legitimate Internet-accessible Pulse Secure VPN appliance administrative web pages for the devices.
- Toggle the filesystem between Read-Only and Read-Write modes to allow for file modification on a typically Read-Only filesystem.
- Maintain persistence across VPN appliance general upgrades that are performed by the administrator.
- Unpatch modified files and delete utilities and scripts after use to evade detection.
- Clear relevant log files utilizing a utility tracked as THINBLOOD based on an actor defined regular expression.
FireEye says it also observed another threat actor that could possibly be related using certain malware at a European organization last month, but did not observe the malware used against U.S. defense companies. However, they do share similar characteristics and carry out similar functions.