Attackers have been exploiting several old and one zero-day vulnerability (CVE-2021-22893) affecting Pulse Connect Secure (PCS) VPN devices to breach a variety of defense, government, and financial organizations around the world, Mandiant/FireEye has warned on Tuesday.
Phil Richards, the Chief Security Officer at Ivanti – the company that acquired Pulse Secure in late 2020 – said that the zero-day vulnerability “impacted a very limited number of customers,” and that the software updates plugging the flaw will be released in early May.
In the meantime, they’ve offered some workarounds that can mitigate the risk of exploitation of that particular vulnerability, as well as a tool that can help defenders check if their systems have been affected.
The attackers’ modus operandi
According to Mandiant/FireEye, several threat actors have been exploiting the four PCS flaws and using 12 malware families to circumvent authentication and gain backdoor access to the targeted devices.
One of these (UNC2630) is believed to operate on behalf of the Chinese government and is possibly connected to APT5 (aka Manganese). Another (UNC2717) could not be definitely tied to a government or known APT group.
“We observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance,” FireEye researchers shared.
That allowed them to:
Trojanize shared objects with malicious code to log credentials and bypass authentication flows
Inject webshells into Internet-accessible Pulse Secure VPN appliance ad ..