Pulse Secure VPN appliances targeted in APT campaign


By Dylan Bushell-Embling
Wednesday, 21 April, 2021


Pulse Secure VPN appliances targeted in APT campaign

FireEye subsidiary Mandiant has warned of a new attack campaign targeting Pulse Secure VPN appliances that has involved exploiting a zero-day vulnerability to bypass single and multifactor authentication on targeted devices.

The company is tracking 12 malware families associated with the exploitation of the devices, and it is likely that multiple actors are responsible for the creation and deployment of the malware families, Mandiant said.

But one attack targeting US Defense Industrial Base networks appears to be the work of a suspected advanced persistent threat (APT) group.

The attack involved trojanising shared objects with malicious code to log credentials and bypass authentication flows, injecting web shells into legitimate internet-accessible Pulse Secure VPN appliance administrative web pages for the devices, toggle rad-write modes on typically read-only system and clear the attacker’s traces by deleting relevant log files.

The attack appears to have leveraged a combination of prior vulnerabilities as well as the newly discovered zero day vulnerability disclosed this month, Mandiant said.

Mandiant said there is some evidence that could suggest that this campaign is being conducted by a hacker group linked to the Chinese government. The attack also bears strong similarities to the campaign by Chinese espionage actor APT5.

Pulse Secure’s parent company Ivanti has released mitigations for a vulnerability exploited in relation to these malware families, and has released a tool to help customers determine if their systems are impacted. A patch is expected for the vulnerability in early May.

According to Mandiant, there is no indication that the identified backdoors were introduced through a supply chain compromise of the company’s network, unlike the SolarWinds attack from earlier this year.

APT5 has shown significant interest in compromising networking devices and manipulating the underlying software which supports these appliances, Mandiant said. They have also consistently targeted defence and technology companies in the US, Europe and Asia.

In a statement, Pulse Secure said it is working with FireEye, CISA and Stroz Friedberg to investigate the attacks and respond to the behaviour.

The company said the newly discovered vulnerability affects only a “very limited number” of customers, so the majority of exposed customers are still running unpatched systems still exposed to the four previously discovered vulnerabilities.

No other Pulse Secure products are impacted by the vulnerabilities, the company said.

Image credit: ©stock.adobe.com/au/Oleksii

Related Articles

Getting the balance right between business innovation, security and AI

As businesses continue to digitise their operations, traditional security measures may no longer...

If you want to fix cyber, stop trying to fix people

We need to stop trying to fix people and start understanding and supporting them with the right...

Managing through uncertainty requires facing security unknowns head on

Understanding the attack surface in its entirety is not just a tactical advantage; it is a...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd