Chinese hackers continue to target gov’t agencies, critical infrastructure that use Pulse Connect Secure line

Following an Emergency Directive last month, the Cybersecurity and Infrastructure Security Agency (CISA) updated its alert on the compromises identified in certain Ivanti Pulse Connect Secure products that directly affect U.S. government agencies, critical infrastructure entities, and other private sector organizations. 

The loopholes have been exploited by a cyber threat attacker(s), since June last year or earlier, which “we believe are affiliated with the Chinese government,” Mandiant said in a blog post last week. FireEye’s Mandiant division has been tracking 16 malware families that were designed to infect Pulse Secure VPN appliances, and used by several cyber espionage groups. 

Mandiant Threat Intelligence assesses that Chinese cyber espionage activity has demonstrated a higher tolerance for risk and is less constrained by diplomatic pressures than previously characterized.

The latest CISA alert includes new threat hacker techniques, tactics and procedures (TTPs), indicators of compromise (IOCs), and updated mitigations. The security agency observed the hacker performing cleanup actions, including timestomping trojanized ‘umount’ binary to match timestamps of legitimate binaries attempting to disguise the modifications and the touch command was used to modify the timestamp. The hacker also deleted files from temp directories, and timestamps. 

“The suspected cyber threat actor modified several legitimate Pulse Secure files on the impacted Pulse Connect Secure appliances,” CISA said in the alert. Many of the hacker’s early actions are logged in the ‘Unauthenticated Requests Log’ and URIs have been redacted to minimize access to webshells that may still be active, it added. 

Pulse Secure parent company Ivanti released Pulse Connect Secure Integrity Tool to enhance users’ ability to ensure complete integrity of their Pulse Connect Secure software. The integrity tool can allow an administrator to verify the PCS Image installed on virtual or hardware appliances, and check integrity of the complete file system and find any additional/modified file(s).

The cyber threat attacker is using exploited devices located on residential IP space, including publicly facing Network Attached Storage (NAS) devices and small home business routers from multiple vendors, to proxy their connection to interact with the webshells they placed on these devices, CISA said. 

These devices, which the hacker is using to proxy the connection, correlate with the country of the victim and allow the hacker activity to blend in with normal telework user activity. Details about lateral movement and post-exploitation are still unknown at this time, and the agency “will update this alert as this information becomes available.”

Between Apr. 17 and Apr. 20 this year, Mandiant incident responders observed UNC2630 access dozens of compromised devices and remove webshells like ATRIUM and SLIGHTPULSE, Mandiant said. 

“We now assess that espionage activity by UNC2630 and UNC2717 supports key Chinese government priorities,” Mandiant said. “Many compromised organizations operate in verticals and industries aligned with Beijing’s strategic objectives outlined in China’s recent 14th Five Year Plan. While there is evidence of data theft at many organizations, we have not directly observed the staging or exfiltration of any data by Chinese espionage actors that could be considered a violation of the Obama-Xi agreement.”

In at least one instance, UNC2630 deleted their webshell(s) but did not remove the persistence patcher, making it possible to regain access when the device was upgraded, Mandiant pointed out. The remaining persistence patcher causes the malicious code to be executed later during a system upgrade, re-inserts webshell logic into various files on the appliance, and re-compromises the device. 

It is unusual for Chinese espionage hackers to remove a large number of backdoors across several victim environments on or around the time of public disclosure. This action displays an interesting concern for operational security and a sensitivity to publicity, it added.

Both UNC2630 and UNC2717 display advanced hacking skills and go to “impressive lengths” to avoid detection. The hackers modify file timestamps and regularly edit or delete forensic evidence, such as logs, web server core dumps, and files staged for exfiltration. They also demonstrate a deep understanding of network appliances and advanced knowledge of a targeted network, according to Mandiant. These skills can make it difficult for network defenders to establish a complete list of tools used, credentials stolen, the initial intrusion vector, or the intrusion start date.

CISA also advised Pulse Connect Secure users to use the Integrity Checker Tool (ICT) and understand if their device has been compromised. While the tool is accurate, there are several nuances to its effective use. It detects evidence of adversary cleanup only on the current, running version of PCS, and may be necessary to roll back the current PCS version to have a valid run of the ICT. 

During the upgrade process, the active version becomes a rollback partition. Only one rollback partition exists on a device, as the rollback partition is replaced on each update. Therefore, if an entity has updated their PCS device without running the correct version of the ICT, anomalous activity will not be detected, it added.

Earlier this month, Colonial Pipeline was hit by DarkSide ransomware leading to a compromise of the fuel pipeline company’s IT networks, and affecting its operations. The fuel pipeline company is reported to have paid close to nearly $5 million as a ransom to the DarkSide attackers, after its operations were hit on May 7. 

The concentrated attack comes at a time when the U.S. Department of Homeland Security’s Transportation Security Administration (TSA) released a Security Directive that requires critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to the CISA, and called for the appointment of a ‘Cybersecurity Coordinator,’ to be available 24 hours a day, seven days a week. 

The directive followed an Executive Order from the Biden administration that aims to bring about decisive steps to modernize US critical infrastructure and its approach to cybersecurity by increasing visibility into threats, while employing appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on its networks. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.