3 May 2021

US Agencies, Defense Companies Hacked Via VPNs

By BRAD D. WILLIAMS

WASHINGTON: US government agencies, critical infrastructure entities, and private sector organizations are back in the cyber crosshairs, the Cybersecurity and Infrastructure Security Agency said today — first in an alert and later in an emergency directive issued within hours of each other.

CISA’s emergency directive and alert were issued as US security companies FireEye and Ivanti disclosed separately — but in coordination with each other — that threat actors are targeting one newly discovered and three previously known vulnerabilities in Pulse Connect Secure appliances. Security patches are currently available for the three known vulnerabilities. A patch for the newly disclosed vulnerability is expected within weeks.

Ivanti, FireEye, Microsoft’s Threat Intelligence Center, and government and law enforcement agencies are said to be working together on this incident.

Pulse Connect Secure is an enterprise virtual private network (VPN) product. VPNs encrypt data as it’s transmitted across public networks, such as the internet. Pulse Connect Secure enables remote workers to securely access enterprise networks.

The emergency directive says, “CISA has determined that this exploitation of Pulse Connect Secure products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of these vulnerabilities by threat actors in external network environments, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise.”

The scale and scope of the campaign are unclear right now. Pulse Connect Secure parent company Ivanti said in its blog post “a limited number of customers” have “revealed evidence of exploit behavior.” Ivanti did not specify the number or types of customers affected. FireEye’s Mandiant unit said defense, government, and financial organizations around the world have been affected, including “US [defense industrial base] companies” and a “European organization,” but investigators did not elaborate.

CISA’s emergency directive indicates federal government concern. The alert — issued just hours before the emergency directive — says CISA has been aware of compromises dating back to at least June 2020. This then raises questions about the reason for and timing of the emergency directive issued only today.

Mandiant said it “suspects” one threat actor is “operat[ing] on behalf of the Chinese government.” This group began exploiting vulnerabilities in August 2020 and continued through March.

Mandiant said it currently lacks sufficient evidence to identify what it believes to be a second threat actor, which the company says exploited vulnerabilities from October 2020 through March.

CISA didn’t go as far as Mandiant in implicating China or any other party in the hacks, referring only to “a cyber threat actor — or actors” throughout its alert.

A CISA-NSA-FBI joint advisory issued last week warned that the Russian Foreign Intelligence Service (SVR) is actively exploiting one of the known Pulse Connect Secure vulnerabilities.

The four vulnerabilities enable threat actors to gain initial access to Pulse Connect Secure appliances, according to CISA and Mandiant, both saying they have responded to recent security incidents. After this initial infection vector, CISA and Mandiant say threat actors inject web shells. Web shells enable attackers to remotely control compromised devices, maintain persistent access, and move laterally across networks, among other activities.

The apparent kill chain is reminiscent of the recent multistep Microsoft Exchange email server hacks, in which threat actors gained initial access to email servers via zero-day vulnerabilities and then injected web shells for remote control, persistent access, and additional capabilities.

Mandiant said the threat actors targeting Pulse Connect Secure have shown the ability to harvest login credentials, bypass single and multifactor authentication, modify files, un-patch modified files, delete attacker utilities and scripts, and wipe logs. Such capabilities enable attackers to pose as legitimate users on the network, evade detection, and maintain persistent access across product upgrades.

Mandiant said it’s tracking 12 malware families associated with the Pulse Connect Secure exploits. “These families are related to the circumvention of authentication and backdoor access to these devices,” the company said, “but they are not necessarily related to each other and have been observed in separate investigations. It is likely that multiple actors are responsible for the creation and deployment of these various code families.”

Ivanti said the newly disclosed Pulse Connect Secure vulnerability was discovered this month, and the company has been working “quickly to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system.” Ivanti is now developing a software update to be deployed in early May. Additionally, the company said it has released information on advanced mitigation and created The Pulse Security Integrity Checker, an online tool organizations can use to “evaluate their product installations and see if they’ve experienced any impact because of the issues.”

CISA’s emergency directive requires all federal agencies to enumerate every Pulse Connect Secure instance and to run the Integrity Checker Tool by 5 p.m. Eastern Daylight Time on April 23. Additional actions may be required.

Today’s news comes on the heels of the White House announcing it’s winding down emergency cyber teams that were spun up to handle the “surge” required to respond to the SolarWinds and Microsoft Exchange email server campaigns over recent months.

In disclosing the Pulse Connect Secure cyber campaign today, Mandiant noted, “There is no indication the identified backdoors were introduced through a supply chain compromise of the company’s network or software deployment process.”

No comments: