At least two hacker groups have been leveraging critical vulnerabilities in Pulse Secure VPN devices, as well as a zero-day flaw in cyber attacks against defense, government, and financial organizations in the U.S and other countries.
According to security advisories released by FireEye’s Mandiant team and Pulse Secure, in the observed attacks malicious actors leveraged several Pulse Secure vulnerabilities patched in 2019 and 2020 (CVE-2019-11510, CVE-2020-8243) and a previously unknown bug, tracked as CVE-2021-22893, to bypass multi-factor authentication protections and get access to enterprise networks.
“A combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, CVE-2021-22893, are responsible for the initial infection vector,” FireEye said.
According to the cybersecurity firm, the attacks started in August 2020 when the first group, known as UNC2630, began targeting US defense contractors and European organizations.
The researchers believe that UNC2630 is working on behalf of the Chinese government and may have ties to another China-linked espionage actor tracked as APT5 based on "strong similarities to historic intrusions dating back to 2014 and 2015."
FireEye is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices which are able to circumvent authentication and have backdoor capabilities. However, these malware families are not necessarily related to each other, FireEye noted.
The list of malware families includes:
UNC2630: SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK
UNC2717: HARDPULSE, QUIETPULSE, AND PULSEJUMP
Two additional malware families, STEADYPULSE and LOCKPICK, used in the attacks, have not been attributed to any threat actor due to lack of evidence.
“We observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance,” FireEye noted.
Pulse Secure’s parent company, Ivanti, provided temporary mitigations to prevent attacks, and the final patch is expected to be released in May 2021.