The Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive (ED) 21-03 directing federal agencies to enumerate all instances of Pulse Connect Secure virtual and hardware appliances hosted by the agency or a third party on the agency’s behalf. Every instance of a Pulse Connect Secure appliance identified in the process must deploy and run the Pulse Connect Secure Integrity Tool by 5pm Eastern Daylight Time on Friday.
The directive comes in response to the compromises that affected U.S. government agencies, critical infrastructure entities, and other private sector organizations, related to vulnerabilities in certain Ivanti Pulse Connect Secure products, which were carried out by a cyber threat hacker(s) from June last year or earlier. Successful exploitation of these vulnerabilities allows an attacker to gain persistent system access and control of the enterprise network operating the vulnerable Pulse Connect Secure appliance.
The Emergency Directive remains in effect until all agencies operating Pulse Connect Secure servers have applied forthcoming patches that resolve all currently exploited vulnerabilities, or the Directive is terminated through other appropriate action. It reflects the security agency’s determination to require emergency action for exploitations that pose an unacceptable risk to the federal civilian executive branch agencies.
All affected agencies are required to use the Pulse Connect Secure Integrity Tool to check the integrity of their file systems. If mismatches or new files are found, they must take mitigation actions and get in touch with the security agency for potential incident response activities. The tool checks the integrity of the file system and detects any mismatch of hashes.
Adversaries are known to maintain persistence over upgrade cycles, and it is critical to run the tool even if all updates have already been deployed and the appliance is running the latest version of software.
“Over the last year, CISA has issued several alerts urging agencies, governments and organizations to assess and patch Pulse Connect Secure vulnerabilities,” said Brandon Wales, acting CISA director, in a statement. “This Emergency Directive reflects the seriousness of these vulnerabilities and the importance for all organizations – in government and the private sector – to take appropriate mitigation steps.”
Pulse Secure parent company Ivanti released mitigations for a vulnerability exploited in relation to the malware families and the Pulse Connect Secure Integrity Tool for their customers to determine if their systems are impacted. A final patch to address the vulnerability will be available in early May 2021.
Pulse Secure has been working proactively with forensic experts and industry groups, including Mandiant/FireEye, CISA and Stroz Friedberg, among others, to investigate and respond to the exploit behavior, the company said this week.
“We have discovered four issues, the bulk of which involve three vulnerabilities that were patched in 2019 and 2020: Security Advisory SA44101 (CVE-2019-11510), Security Advisory SA44588 (CVE-2020-8243) and Security Advisory SA44601 (CVE-2020-8260),” according to a company blog post. “We strongly recommend that customers review the advisories and follow the recommended guidance, including changing all passwords in the environment if impacted,” it added.
The hacker is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence, CISA said. The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching, it added. A webshell is a malicious web-based interface that enables remote access and control to a web server by allowing the execution of arbitrary commands.
Mandiant responded to multiple security incidents involving compromises of Pulse Secure VPN appliances to examine the multiple, related techniques for bypassing single and multi-factor authentication on Pulse Secure VPN devices, persisting across upgrades, and maintaining access through webshells. Mandiant is part of FireEye.
“There is no indication the identified backdoors were introduced through a supply chain compromise of the company’s network or software deployment process,” Mandiant said in a post. Mandiant continues to collaborate with the Ivanti and Pulse Secure teams, Microsoft Threat Intelligence Center (MSTIC), and relevant government and law enforcement agencies to investigate the threat, as well as develop recommendations and mitigations for affected Pulse Secure VPN appliance owners, it added.
Mandiant analysts noted strong similarities to historic intrusions dating back to 2014 and 2015 and conducted by Chinese espionage actor APT5. “We have also uncovered limited evidence to suggest that UNC2630 operates on behalf of the Chinese government. The analysis is still ongoing to determine the full scope of the activity that may be related to the group,” it added.
Organizations should examine available forensic evidence to determine if an attacker compromised user credentials. Ivanti highly recommends resetting all passwords in the environment and reviewing the configuration to ensure no service accounts can be used to authenticate to the vulnerability.
The attack comes at a time when the Biden administration is taking steps to safeguard U.S. critical electric infrastructure from persistent and sophisticated cyber threats. It unveiled this week a 100-day plan to modernize critical electric infrastructure using cybersecurity defenses with aggressive milestones and assist owners and operators to deliver better detection, mitigation, and forensic capabilities.
The nation’s critical infrastructure has been hit previously by the Oldsmar water plant hack where a remote hacker altered for a short while the chemical balance of the community’s drinking water to include dangerous levels of lye, and the SolarWinds supply chain attacks, which U.S. intelligence agencies alleged last week were the work of Russian Foreign Intelligence Service (SVR), who exploited five publicly known vulnerabilities.