Pulse Connect Secure VPNs Still Under AttackFireEye: Attackers Using New Malware and Procedures
Two China-linked threat groups are still exploiting unpatched flaws in Ivanti's Pulse Connect Secure VPN products, using additional malware variants to support cyberespionage, FireEye's Mandiant Threat Intelligence team says.
"Mandiant continues to gather evidence and respond to intrusions involving compromises of Pulse Secure VPN appliances at organizations across the defense, government, high tech, transportation and financial sectors in the U.S. and Europe," according to a report FireEye issued Thursday.
CISA notes the attackers attempted to cover their tracks by removing and changing the information on affected systems.
Ivanti also issued an updated tool to help users check if they have been targeted, says Matthew Hartman, CISA’s deputy executive assistant director for cybersecurity.
“CISA continues to work closely with Ivanti to better understand the vulnerabilities in Pulse Secure VPN products and mitigate potential risks to public and private sector networks," Hartman says. "The updated alert, released today, includes guidance on intrusion detection beyond the Pulse Secure device and use of the Ivanti integrity checker tool to detect exploitation and combat efforts to obfuscate intrusions."
Ivanti's product security incident response team introduced the Integrity Checker Tool in March.
In addition to identifying new tactics, techniques and procedures used by two attack groups, known as UNC2630 and UNC2717, FireEye says the groups are conducting cyberespionage activity supporting Chinese government priorities.
"Mandiant is tracking 16 malware families exclusively designed to infect Pulse Secure VPN appliances and used by cyberespionage groups which we believe are affiliated with the Chinese government," FireEye says in its new report.
FireEye, Ivanti and CISA reported on April 20 that UNC2630 and UNC2717 were involved in gaining long-term access to an unnamed network through its Ivanti Pulse Secure VPN and SolarWinds' Orion server and then installing Supernova malware.
The attackers exploited one zero-day flaw and three previously patched vulnerabilities to compromise U.S. government agencies, critical infrastructure and private sector organizations, CISA and FireEye said in April. Ivanti issued a patch for the zero-day flaw in May.
FireEye noted in April that the attacks were hitting a variety of government and private-sector organizations worldwide. These included at least five executive branch agencies that showed evidence of suspicious or malicious activity within their networks, said Hartman in April. Officials say 26 federal agencies use Pulse Connect Secure VPNs (see: CISA: 5 Agencies Using Pulse Secure VPNs Possibly Breached).
In its new alert, FireEye says UNC2630 is using four new malware families to infect Pulse Secure devices.
"These utilities have similar functions to the 12 previously documented malware families: harvesting credentials and sensitive system data, allowing arbitrary file execution, and removing forensic evidence," FireEye says.
The newly identified malware includes:
- Bloodmine, a utility for parsing Pulse Secure Connect log files: It extracts information related to logins, message IDs and web requests and copies the relevant data to another file.
- Bloodbank, a credential theft utility: It parses two files containing password hashes or plain-text passwords and expects an output file to be given at the command prompt.
- Cleanpulse, a memory patching utility: This may be used to prevent certain log events from occurring. It was found in close proximity to an Atrium web shell.
- Rapidpulse, a web shell capable of arbitrary file read: This is a modification to a legitimate Pulse Secure file. It can serve as an encrypted file downloader for the attacker.
FireEye's researchers found the attackers use the four vulnerabilities to gain access and then create a local administrator account outside of established credential management controls on targeted Windows servers. The attackers use web shells and additional malware for persistence on Windows and Linux endpoints.
The attackers then escalate privileges by using Mimikatz to harvest credentials, according to the report.
"The attackers then conduct reconnaissance followed by lateral movement through the system starting from the compromised Pulse Secure VPN appliance," FireEye says.
UNC2630 reacted almost immediately when its attacks were discovered in April, taking steps to cover it tracks by removing malware from its victims' devices, FireEye says.
"Between April 17 and April 20, Mandiant incident responders observed UNC2630 access dozens of compromised devices and remove web shells like Atrium and Slightpulse," FireEye says.
CISA says in its Thursday alert: "The threat actor was observed timestomping the trojanized umount binary to match timestamps of legitimate binaries attempting to disguise the modifications; the touch command was used to modify the time stamp."
In one instance, UNC2360 was observed deleting web shells, but it did not remove the persistence patcher, making it possible to regain access when the device was upgraded, FireEye says.
While FireEye notes only UNC2360 went back into the Pulse Secure attack victims and made changes, the security firm says UNC2717 and UNC2360 both display advanced tradecraft and go to impressive lengths to avoid detection.
"It is unusual for Chinese espionage actors to remove a large number of backdoors across several victim environments on or around the time of public disclosure. This action displays an interesting concern for operational security and a sensitivity to publicity," FireEye says.
Stronger China Ties
FireEye notes its deeper investigation into the Pulse Secure attacks determined that the information UNC2630 and UNC2717 have been gathering aligns with Chinese government goals.
"We now assess that espionage activity by UNC2630 and UNC2717 supports key Chinese government priorities," the company says "Many compromised organizations operate in verticals and industries aligned with Beijing's strategic objectives outlined in China's recent 14th five-year plan.
China has outlined eight areas of vital economic interest it sees as essential to maintaining global competitiveness: energy, healthcare, railway transportation, telecommunications, national defense and stability, advanced manufacturing, network power, and sports and culture, FireEye says.
FireEye says it has direct evidence of UNC2630, UNC2717 and other Chinese-affiliated APT groups stealing credentials, email communications and intellectual property with commercial and military applications.
Under the 2015 Obama-Xi agreement the U.S. and China pledged not to conduct or support cyber-enabled intellectual property theft, including trade secrets or other confidential business information, for commercial advantage.
"Throughout our investigations, we did not directly observe the staging or exfiltration of any data by Chinese espionage actors that could be considered a violation of the Obama-Xi agreement," FireEye says. "Given the narrow definition of commercial, intellectual property theft and the limited availability of forensic evidence, it is possible that our assessment will change with the discovery of new information."