Pulse Secure VPN Flaws Exploited to Target US Defense Sector

  /     /     /  
Publicated : 23/11/2024   Category : security


Pulse Secure VPN Flaws Exploited to Target US Defense Sector


China-linked attackers have used vulnerabilities in the Pulse Secure VPN appliance to attack US Defense Industrial Base networks.



Nation-state attackers are exploiting high-severity vulnerabilities in the Pulse Secure VPN to breach networks within the US defense sector and organizations around the world, researchers report.
IT software firm Ivanti, which
acquired
Pulse Secure late last year, today confirmed attackers have targeted a limited number of customers using Pulse Connect Secure (PCS) appliances. It has been working with Mandiant, the Cybersecurity and Infrastructure Security Agency (CISA), and others to respond to the exploits, which target three known vulnerabilities and a zero-day.
The three known flaws include
CVE-2020-8243
,
CVE-2020-8260
, and
CVE-2019-11510
, which
CISA recently warned
is among several CVEs under attack by the Russian Foreign Intelligence Service (SVR) in its efforts to target US and allied networks, including national security and government systems. All of these vulnerabilities were patched in 2019 and 2020,
Ivanti says
.
CVE-2021-22893, a new issue discovered
this month
, is an authentication bypass vulnerability that could allow an unauthenticated attacker to perform arbitrary file execution on the Pulse Connect Secure gateway. Ivanti has provided
mitigations
for the critical flaw and developed a tool for businesses to confirm if they are affected. A software update will be available in May.
The company did not confirm which group is behind the exploits; however, a Mandiant report also released this morning provides more details on the attacks targeting Pulse Secure CVEs and points to connections between this attack activity and a group with Chinese government ties.
Researchers are currently tracking 12 malware families associated with the exploitation of Pulse Secure VPNs, write Mandiants Dan Perez, Sarah Jones, Greg Wood, and Stephen Eckels in their report. While each of these families is related to bypassing authentication and gaining backdoor access to the VPNs, they arent necessarily related and have been seen in separate attacks.
Its likely that multiple attack groups are exploiting these vulnerabilities; however, the focus of this research is on UNC2630 and its attacks against US Defense Industrial Base (DIB) networks.
Mandiant earlier this year had been investigating attacks against defense, government, and financial organizations around the world. Each of these attacks could be traced back to DHCP IP address ranges belonging to Pulse Secure VPNs, but in many cases researchers couldnt define how attackers gained admin access. With Ivantis analysis, they learned some of these intrusions stemmed from the patched Pulse Secure flaws; others came from CVE-2021-22893.
UNC2630 was seen stealing credentials from various Pulse Secure login flows, which let them use legitimate account credentials to move into target environments. To remain persistent, the attackers used modified Pulse Secure binaries and scripts on the VPN.
Once they achieved persistence, attackers were able to conduct a range of activities. They Trojanized shared objects to log credentials and bypass authentication flows, including multifactor authentication requirements. They injected Web shells into legitimate Pulse Secure administrative Web pages accessible to the Internet, maintained persistence across VPN general upgrades performed by admins, and unpatched modified files and deleted utilities and scripts to evade detection, among other actions,
the researchers explain
in their findings.
We are in the early stages of gathering evidence and making attribution assessments and there are a number of gaps in our understanding of UNC2630, UNC2717, and these 12 code families, they write.
UNC2630s infrastructure, tools, and behavior on the network were new to the Mandiant team, which hadnt seen them in any other campaigns. But while these factors were unique to this group, analysts found strong similarities to other intrusions going back to 2014 and 2015, which were conducted by Chinese espionage group APT5. They also have limited evidence indicating UNC2630 may operate on behalf of the Chinese government.
While Mandiant cant definitively link UNC2630 to APT5, it notes other researchers have tied this particular activity to other attacks that Mandiant has tracked as Chinese espionage activity. This third-party assessment is consistent with its understanding of APT5, an actor it says has shown interest in compromising networking devices and the software on which they run.
For organizations using Pulse Secure Connect, Mandiant advises assessing the impact of the Pulse Secure mitigations and applying if possible. Ivanti recommends resetting passwords and reviewing configurations to make sure no service accounts can be used to authenticate to the vulnerability.
CISA has also
issued an alert
warning of the exploitation of these vulnerabilities.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Pulse Secure VPN Flaws Exploited to Target US Defense Sector