Executive Summary
- Mandiant recently responded to multiple security incidents
involving compromises of Pulse Secure VPN appliances. - This
blog post examines multiple, related techniques for bypassing single
and multifactor authentication on Pulse Secure VPN devices,
persisting across upgrades, and maintaining access through
webshells. - The investigation by Pulse Secure has determined
that a combination of prior vulnerabilities and a previously unknown
vulnerability discovered in April 2021, CVE-2021-22893,
are responsible for the initial infection vector. - Pulse
Secure’s parent company, Ivanti, released mitigations for a
vulnerability exploited in relation to these malware families and
the Pulse
Connect Secure Integrity Tool for their customers to determine
if their systems are impacted. A final patch to address the
vulnerability will be available in early May 2021. - Pulse
Secure has been working closely with Mandiant, affected customers,
government partners, and other forensic experts to address these
issues. - There is no indication the identified backdoors were
introduced through a supply chain compromise of the company’s
network or software deployment process.
Introduction
Mandiant is currently tracking 12 malware families associated with
the exploitation of Pulse Secure VPN devices. These families are
related to the circumvention of authentication and backdoor access to
these devices, but they are not necessarily related to each other and
have been observed in separate investigations. It is likely that
multiple actors are responsible for the creation and deployment of
these various code families.
The focus of this report is on the activities of UNC2630 against
U.S. Defense Industrial base (DIB) networks, but detailed malware
analysis and detection methods for all samples observed at U.S. and
European victim organizations are provided in the technical annex to
assist network defenders in identifying a large range of malicious
activity on affected appliances. Analysis is ongoing to determine the
extent of the activity.
Mandiant continues to collaborate with the Ivanti and Pulse Secure
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass
Techniques and Pulse Secure Zero-Day