Pulse Secure VPN appliances targeted in APT campaign

FireEye subsidiary Mandiant has warned of a new attack campaign targeting Pulse Secure VPN appliances that has involved exploiting a zero-day vulnerability to bypass single and multifactor authentication on targeted devices.

The company is tracking 12 malware families associated with the exploitation of the devices, and it is likely that multiple actors are responsible for the creation and deployment of the malware families, Mandiant said.

But one attack targeting US Defense Industrial Base networks appears to be the work of a suspected advanced persistent threat (APT) group.

The attack involved trojanising shared objects with malicious code to log credentials and bypass authentication flows, injecting web shells into legitimate internet-accessible Pulse Secure VPN appliance administrative web pages for the devices, toggle rad-write modes on typically read-only system and clear the attacker’s traces by deleting relevant log files.

The attack appears to have leveraged a combination of prior vulnerabilities as well as the newly discovered zero day vulnerability disclosed this month, Mandiant said.

Mandiant said there is some evidence that could suggest that this campaign is being conducted by a hacker group linked to the Chinese government. The attack also bears strong similarities to the campaign by Chinese espionage actor APT5.

Pulse Secure’s parent company Ivanti has released mitigations for a vulnerability exploited in relation to these malware families, and has released a tool to help customers determine if their systems are impacted. A patch is expected for the vulnerability in early May.

According to Mandiant, there is no indication that the identified backdoors were introduced through a supply chain compromise of the company’s network, unlike the SolarWinds attack from earlier this year.

APT5 has shown significant interest in compromising networking devices and manipulating the underlying software which supports these appliances, Mandiant said. They have also consistently targeted defence and technology companies in the US, Europe and Asia.

In a statement, Pulse Secure said it is working with FireEye, CISA and Stroz Friedberg to investigate the attacks and respond to the behaviour.

The company said the newly discovered vulnerability affects only a “very limited number” of customers, so the majority of exposed customers are still running unpatched systems still exposed to the four previously discovered vulnerabilities.

No other Pulse Secure products are impacted by the vulnerabilities, the company said.

Image credit: ©stock.adobe.com/au/Oleksii