Hackers breached several U.S. federal agencies, critical infrastructure entities, and private entities after exploiting Pulse Connect Secure (PCS) VPN vulnerabilities, the Cybersecurity and Infrastructure Security Agency (CISA) warned.
Since March 31, 2021, CISA assisted several entities whose vulnerable Pulse Connect Secure devices were exploited by hackers, CISA’s alert AA-21-110A disclosed.
The attackers exploited Pulse Connect Secure VPN vulnerabilities to harvest Active Directory passwords, install web shells, and bypass multi-factor authentication.
CISA had earlier issued Security Advisories SA44101 and SA44601 related to other Pulse Connect Secure VPN vulnerabilities CVE-2019-11510 and CVE-2020-8260 exploited by the attackers.
Threat actors exploited multiple Pulse Connect Secure VPN vulnerabilities to gain persistence
The threat actor exploited several VPN vulnerabilities, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and CVE-2021-22893. The attacker exploited the VPN vulnerabilities to bypass single and multi-factor authentication, and install web shells for remote administration to maintain persistence.
They leveraged Pulse Connect Secure vulnerability CVE-2021-22893 as the initial attack vector to compromise the victims’ networks. The zero-day vulnerability is a remote code execution (RCE) flaw with a CVSS score of 10.0. Attackers can exploit the VPN vulnerability without user interaction.
The patch for CVE-2021-22893 would not be available until early May, but Ivanti issued various mitigations as XML configuration files.
Organizations using vulnerable products should run Pulse Secure Connect Integrity Tool every 24 hours to establish if they were compromised.
Federal agencies among victims breached through Pulse Connect Secure VPN vulnerabilities
CISA issued a security alert AA21-110A acknowledging the compromise of federal agencies, critical infrastructure agencies, and private organizations.
“The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises affecting U.S. government agencies, critical infrastructure entities, and other private sector organizations by a cyber threat actor or actors beginning in June 2020 or earlier related to vulnerabilities in certain Ivanti Pulse Connect Secure products.”
CISA warned that the VPN vulnerabilities posed an “unacceptable risk to Federal Civilian Executive Branch agencies” thus requiring immediate remediation. The agency directed other federal agencies to apply the mitigations immediately to avoid further compromise.
Organizations should reset all passwords for all accounts whose credentials were transmitted through Pulse Secure environment. CISA also advised them to consider those accounts already compromised.
FireEye attributes hacking activity to Chinese threat actors
FireEye’s Mandiant Solutions said it identified 12 malware variants related to Pulse Connect Secure VPN vulnerabilities.
The Milpitas, California-based tech firm said two Chinese threat actors, UNC2630, a state-sponsored actor, and UNC2717, an advanced persistent threat actor, were responsible for PCS-related breaches, although full attribution was underway.
UNC2630 primarily targeted U.S. federal agencies and defense industrial bases (DIBs), while UNC2717 targeted global governments. UNC2630 was also closely related to Chinese threat actor tracked as APT5 since 2014.
The hacking groups used SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK web shells on federal agencies.
It harvested login credentials allowing it to exploit legitimate accounts to move laterally across compromised networks. The APT exploited modified Pulse Secure binaries and scripts to maintain persistence on the VPN appliance, according to FireEye.
The attackers did not introduce backdoors or execute supply chain attacks. FireEye explained that the exploits were not exclusive to the two Chinese hacking groups and might be associated with “loosely connected APT actors.”
Ivanti spokesperson told the Hill that only a “limited number” of clients were breached. The representative added that his company notified compromised entities directly through email.
Although CISA did not identify which federal agencies were breached, potential victims include the Coast Guard, Pentagon and the Bureau of the Fiscal Service.
FireEye also said it detected malicious activity against U.S. DIB networks and European organizations.
Commenting on the CISA alert, Heather Paunet, Senior Vice President at Untangle, said that organizations should apply data encryption.
“Security incidents, such as the attack on Pulse Secure VPN appliances, point out the need for ensuring you are using the latest technologies with state-of-the-art cryptography, such as Wireguard.”
She noted that preserving users’ online security and safety was important during the remote working era.
“Yet, many businesses continue to use older technologies, despite the increase in not only the number of threats but the sophistication of threats,” Paunet added. “Other considerations for VPN use include keeping up to date with patches and latest configuration and ensuring employees use VPN according to protocol.”
Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT) said that mitigation attempts must consider other vulnerabilities apart from the most severe ones.
“Any approach that considers ‘patch only the most severe’ will miss the fact that an attack takes turns. It is like a pathfinder through the vulnerability landscape in an infrastructure as seen during the attacker’s reconnaissance phase (or assumed as ‘just there’). Overall, both the FireEye report and the advisory, underline the need for a layered defense, that encompasses prevention (like Vulnerability and Patch Management) as well as detection (like Change Control) to achieve cyber resilience.”
Paul Martini, CEO of iboss, says VPNs are obsolete in the modern tech landscape.
“Organizations deploying legacy network security appliances to protect cloud connectivity and internet access are faced with these problems today. It’s often been said that VPN’s days are limited in part because they’re not scalable, which makes them incapable of processing massive amounts of internet traffic generated by remote workforces.”
He notes that old VPN technology could be plagued with unpatched security vulnerabilities, thus opening organizations to unnecessary risks.
“Organizations must strengthen their security postures by using modern cybersecurity solutions, like SASE platforms, that allow users to connect directly to any cloud app quickly and securely, thus eliminating the need for a VPN.”
VPNs are becoming the traditional initial attack vectors for various persistent threat actors. VPN exploits are frequently sold on the dark web and are most sought after. Additionally, most VPN applications have administrative rights on the systems they run on.
Therefore, threat actors are willing to pay top dollar to acquire these initial compromise vectors to deploy malware, including ransomware.
Editor’s Note: An earlier version of this article stated that the Nuclear Regulatory Commission is a potential victim. The agency has since clarified that they do not use the software in question.