Pulse Secure VPN appliances targeted in APT campaign


By Dylan Bushell-Embling
Wednesday, 21 April, 2021



Pulse Secure VPN appliances targeted in APT campaign

FireEye subsidiary Mandiant has warned of a new attack campaign targeting Pulse Secure VPN appliances that has involved exploiting a zero-day vulnerability to bypass single and multifactor authentication on targeted devices.

The company is tracking 12 malware families associated with the exploitation of the devices, and it is likely that multiple actors are responsible for the creation and deployment of the malware families, Mandiant said.

But one attack targeting US Defense Industrial Base networks appears to be the work of a suspected advanced persistent threat (APT) group.

The attack involved trojanising shared objects with malicious code to log credentials and bypass authentication flows, injecting web shells into legitimate internet-accessible Pulse Secure VPN appliance administrative web pages for the devices, toggle rad-write modes on typically read-only system and clear the attacker’s traces by deleting relevant log files.

The attack appears to have leveraged a combination of prior vulnerabilities as well as the newly discovered zero day vulnerability disclosed this month, Mandiant said.

Mandiant said there is some evidence that could suggest that this campaign is being conducted by a hacker group linked to the Chinese government. The attack also bears strong similarities to the campaign by Chinese espionage actor APT5.

Pulse Secure’s parent company Ivanti has released mitigations for a vulnerability exploited in relation to these malware families, and has released a tool to help customers determine if their systems are impacted. A patch is expected for the vulnerability in early May.

According to Mandiant, there is no indication that the identified backdoors were introduced through a supply chain compromise of the company’s network, unlike the SolarWinds attack from earlier this year.

APT5 has shown significant interest in compromising networking devices and manipulating the underlying software which supports these appliances, Mandiant said. They have also consistently targeted defence and technology companies in the US, Europe and Asia.

In a statement, Pulse Secure said it is working with FireEye, CISA and Stroz Friedberg to investigate the attacks and respond to the behaviour.

The company said the newly discovered vulnerability affects only a “very limited number” of customers, so the majority of exposed customers are still running unpatched systems still exposed to the four previously discovered vulnerabilities.

No other Pulse Secure products are impacted by the vulnerabilities, the company said.

Image credit: ©stock.adobe.com/au/Oleksii

Related Articles

Global framework for fighting ransomware released

The multinational Ransomware Task Force is urging governments and industry leaders worldwide to...

More Mac malware detected in 2020 than ever before

An investigation into the state of macOS malware by Atlas VPN has found that malware developed to...

Queensland opens two new cyber innovation nodes

AustCyber and the Queensland Government have collaborated to open new cybersecurity innovation...


  • All content Copyright © 2021 Westwick-Farrow Pty Ltd