Researchers have uncovered four new malware families designed to target Pulse Secure VPN appliances.
Pulse Secure’s virtual private network (VPN) and Secure Connect (PSC) solutions are used by corporations worldwide to provide secure access to business systems. However, on April 20, FireEye’s Mandiant cyber forensics team disclosed attacks against defense, government, and financial organizations utilizing vulnerabilities in the software.
The major vulnerability at hand is CVE-2021-22893, issued a CVSS severity score of 10, described as an authentication bypass impacting Pulse Connect Secure permitting unauthenticated attackers to perform remote arbitrary code execution (RCE).
Other security flaws connected to attacks are CVE-2019-11510, CVE-2020-8260, and CVE-2020-8243, which can be used to establish persistence on a vulnerable appliance and further compromise devices.
Mandiant suspects that Chinese threat actors are exploiting the vulnerabilities, and now, intrusions have been detected at defense, government, technology, transport, and financial entities in the United States and Europe.
According to the researchers, UNC2630 and UNC2717 are the main advanced persistent threat (APT) groups involved in these attacks, and both of which “support key Chinese government priorities.”
“Many compromised organizations operate in verticals and industries aligned with Beijing’s strategic objectives outlined in China’s recent 14th Five Year Plan,” Mandiant says. “While there is evidence of data theft at many organizations, we have not directly observed the staging or exfiltration of any data by Chinese espionage actors that could be considered a violation of the Obama-Xi agreement.”
In Mandiant’s original report, 12 separate malware families and tools, including the Atrium and Slightpulse webshells, had been found that weaponized Pulse Secure vulnerabilities.
This number has now reached 16 with the discovery of four new malware families linked to UNC2630:
- Bloodmine: This utility parses PSC log files and extracts information relating to logins, message IDs, and web requests.
- Bloodbank: This malware is designed for credential theft and parses files containing password hashes or plaintext credentials.
- Cleanpulse: Cleanpulse is a memory patching tool for preventing specific log events. Mandiant discovered this malware in “close proximity” to an Atrium webshell.
- Rapidpulse: This is a webshell that exists as a modification to a legitimate Pulse Secure file and is not only capable of arbitrary file read, but can also act as an encrypted file downloader.
Mandiant notes that in some cases of intrusion, the Chinese threat actors removed a number of backdoors — but left persistence patchers potentially as a means to regain access in the future — demonstrating an unusual “concern for operational security and a sensitivity to publicity.”
“Chinese cyber espionage activity has demonstrated a higher tolerance for risk and is less constrained by diplomatic pressures than previously characterized,” Mandiant added.
Pulse Secure parent company Ivanti has released patches and an integrity tool for users to check their builds for risk. It is recommended that the fixes are applied as soon as possible.
The US Cybersecurity and Infrastructure Security Agency (CISA) first issued an alert on the exploitation of Pulse Connect Secure products on April 21 and has since updated its guidance.
In other alerts this week, the FBI has warned of ongoing attacks using Fortinet/FortiOS vulnerabilities (CVE-2018-13379, CVE-2020-12812, FortiOS CVE-2019-5591). In May, an APT group managed to leverage these bugs to access a web server hosting a domain for a US municipal government.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0