Advanced persistent threat actors linked to a Chinese espionage groups have ramped up a cyber campaign against the U.S. and some European companies in the defense, finance, transportation, technology industries and government agencies, according to Mandiant threat research released Thursday. The researchers have identified four new malware families being used to compromise Pulse Secure VPN devices.
Mandiant researchers are tracking 16 different malware families used by several cyber espionage groups linked to China. Mandiant researchers say they observed a threat actor, identified as UNC2630, remove webshells, including ATRIUM and SLIGHTPULSE, from dozens of compromised devices.
The Cybersecurity and Infrastructure Security Agency issued an updated alert Thursday with new information about techniques, tactics and procedures (TTPs), indicators of compromise (IOCs) and mitigation resources. "CISA continues to work closely with Ivanti Inc. to better understand the vulnerabilities in Pulse Secure VPN products and mitigate potential risks to public and private sector networks," Matthew Hartman, deputy executive assistant director for cybersecurity at CISA said in a statement released late Thursday.
Researchers observed the threat actor using a recently patched vulnerability, CVE-2021-22893, to compromise fully patched Pulse Secure devices as well as vulnerabilities dating back to 2019.
"These actors' primary goal is long-term persistence," Sarah Jones, senior principal analyst at Mandiant Threat Intelligence said. "Detection and publicity harm their ability to move around victim environments and steal information."
The threat actors have created Local Administrator accounts that go beyond existing credential management controls in Windows. They also escalated privileges through credential harvesting.
Reverse engineers on the FLARE team have identified four new malware families linked to UNC2630, including the following:
BLOODMINE: A utility used to parse Pulse Secure Connect log files
BLOODBANK: A credential theft utility that parses two files with plaintext hashes or plaintext passwords.
CLEANPULSE: A memory patching utility that prevents certain log events from taking place.
RAPIDPULSE: A webshell that is capable of an arbitrary file read and exists as a modification of a legitimate Pulse Secure file.
The updated CISA alert includes guidance on detecting intrusions beyond the Pulse Secure device and using the Ivanti integrity checker tool to detect exploitation and fight efforts to obfuscate intrusions. Ivanti is the parent company of Pulse Secure.
"We are aware of reports of attempted clean-up by the threat actor targeting the Pulse Connect Security (PCS) appliance," Phil Richards, vice president and chief security officer at Ivanti, said in a statement.
The Ivanti integrity checker tool is effective in identifying affected systems even in cases where the threat actor has launched clean up efforts, Richards said.
VPNs have been a target of APT attacks in recent months, particularly involving the U.S. defense industry. In testimony before the Senate Armed Services Committee last week, Jesse Salazar, deputy assistant secretary of defense, industrial policy, said APT actors have been targeting the defense industry through security flaws in VPNs as well as email exchange servers.
VPNs have been a frequent target of various threat actors since 2019 and the pandemic has created a wide attack surface due to millions of workers operating remotely since the start of the COVID-19 pandemic in early 2020.
Any time a vendor is hit by vulnerabilities, at the end of the day it comes down to how they respond to it, according to Rob Smith, research director at Gartner's Endpoint and Operations Security Group. He said vulnerabilities are a sad fact of all software and every vendor has to deal with them.
"That said, lately Pulse has been hit hard and as a result, we've seen an uptick in Gartner clients looking to change to an alternative VPN solution," he said via email. "My usual discussions with them tend to move them away from traditional VPN to a cloud security approach which is ultimately SASE. There's very high demand pushing this now."