While the cybersecurity community pumps out a seemingly unending list of newly discovered software and hardware vulnerabilities each day, many organizations are far more likely to be compromised in part or in whole by older flaws that have yet to be patched.
In a new blog post released this morning, FireEye’s Mandiant team revealed ongoing exploitation by at least two hacking groups – one of which they linked to China – that represents the worst of both worlds: leveraging older, unpatched vulnerabilities with a dangerous new zero day to attack governments, defense contractors and other businesses in the U.S. and Europe.
Mandiant outlined 12 malware families that they observed actively exploiting vulnerabilities in Pulse Secure VPN devices dating back to last year. One of those vulnerabilities exploited a remote code execution bug, was previously unknown and carries a 10 out of 10 severity score by the Common Vulnerability Scoring System. The other three were discovered and patched in 2019 or 2020.
CISA released an advisory confirming that the agency is " aware of compromises affecting U.S. government agencies, critical infrastructure entities, and other private sector organizations by a cyber threat actor — or actors — beginning in June 2020 or earlier.” Later the same day, they released an emergency directive ordering civilian federal agencies to patch the vulnerabilities by Friday, April 23.
Mandiant said it had responded to “multiple security incidents” exploiting the vulnerabilities and while the 12 malware families flagged all deal with bypassing authentication protections to install backdoors, they aren’t all used together and have been observed in separate investigations across multiple groups. The company said it is working with governments, law enforcement, Pulse Secure and Microsoft’s Threat Intelligence Center to investigate the attacks and develop ways to remediate them.
“These actors are highly skilled and have deep technical knowledge of the Pulse Secure product. They developed malware that enabled them to harvest Active Directory credentials and bypass multifactor authentication on Pulse Secure devices to access victim networks,” said Charles Carmakal, senior vice president and chief technology officer for FireEye in a statement. “They modified scripts on the Pulse Secure system which enabled the malware to survive software updates and factory resets. This tradecraft enabled the actors to maintain access to victim environments for several months without being detected.”
There is no fix for the zero day RCE vulnerability, which affects Pulse Secure Connect versions 9.0R3 and higher, and in a company advisory the timeline for patching all affected versions is currently listed as “TBD.” Phil Richards, chief security officer for Pulse Secure, wrote in a corresponding blog update that a “limited number of customers” have found evidence of exploitation on their Pulse Connect Secure appliances and that the company expects to have a software update ready sometime in May.
Richards said the company is working with the Cybersecurity and Infrastructure Security Agency, FireEye and cybersecurity consultant Stroz Friedberg to assist in the investigation, and the company rolled out a new tool to help customers check and verify whether files in their PCS image were modified or altered, something that could indicate a compromise.
While Pulse Secure is still investigating the incident, Richards claimed that “customers should be aware that no other Pulse Secure products are impacted by these issues, and they are not connected to any other security or product availability incidents.”
For now, they’ve posted a temporary workaround by disabling the Windows file share browser and Pulse Secure Collaboration to neuter URL-based attacks. However, the mitigation will not work on older versions and is “not recommended for a license server.”
The two groups using the exploits thus far were identified by Mandiant as UNC2630 and UNC2717. The acronym “UNC” stands for “Uncategorized Actor Entity,” a naming scheme that FireEye uses to classify clusters of hacking activity that they believe are related but where the evidence and confidence levels around connections and attribution are not as mature as they are for more established “APT” and “FIN” groups.
While Mandiant said they do not have enough information about one of those groups to make a firm attribution, they suspect the other (UNC2630) operates on behalf of China had has links to a Chinese APT group, sometimes called Manganese, that is known for overseeing multiple hacking teams with different tactics, techniques and procedures. According to Mandiant, UNC2630 was observed using the vulnerabilities to target U.S. defense contractors, while UNC2717 focused on global government agencies.
Carmakal said the groups appear to be pursuing espionage related goals and there is currently no evidence that the activities were part of a larger supply chain compromise of Pulse Secure, parent company, Ivanti, or its software.
“Their primary goals are maintaining long-term access to networks, collecting credentials, and stealing proprietary data. We believe that multiple cyber espionage groups are using these exploits and tools, and there are some similarities between portions of this activity and a Chinese actor we call APT5,” he said.
The attack underscores how even when threat groups develop a previously unknown exploit, they often rely on older vulnerabilities to gain an initial foothold or carry out other parts of the attack chain. This latest example “proves again that vulnerability risk management needs to keep in mind that a combination of vulnerabilities should be more concerning than any single critical vulnerability,” said Dirk Schrader, global vice president of security research at New Net Technologies.