On the 20th of April, 2021, cybersecurity firm Mandiant published a report concerning the security incidents involving compromised Pulse Secure VPN appliances. The report talks about the techniques used by threat actors to bypass single & multi-factor authentication on the Pulse Secure VPN devices. These techniques maintain access via web shells across upgrades on the appliances.
As per the Mandiant report, at present 12 malware families associated with the exploitation of Pulse Secure VPN devices are under scrutiny. All of these families are associated with bypassing authentication & creating backdoor access to the devices, though they have been investigated separately. The researchers suspect foul play by various threat actors for the creation & deployment of the malware families.
About the techniques compromising Pulse Secure devices:
Based on the analysis of Pulse Secure’s parent-brand Ivanti, besides the intrusions caused by the exploitation of a previously unknown vulnerability CVE-2021-22893, the exploitation of previously disclosed Pulse Secure VPN vulnerabilities from 2019 & 2020 were also the cause of some intrusions. The Mandiant report mentions that the credentials from multiple Pulse Secure VPN login flows were being harvested by the threat actor. This allowed them to ultimately use the genuine account credentials and move laterally in the affected environments.
The actor made use of modified genuine Pulse Secure binaries & scripts on the VPN appliance to maintain persistence to the compromised networks. This allowed the actor to accomplish multiple things including-
- Use malicious code to trojanize shared objects to bypass authentication. These assemblies were tracked as SLOWPULSE.
- Inject webshells into genuine internet-accessible Pulse Secure VPN appliance administrative web pages for the devices. These were tracked as RADIALPULSE & PULSECHECK.
- Toggle filesystem between Read-only & Read-write modes to allow modification on Read-only file system.
- Maintain persistence across VPN appliance for administrator performed upgrades
- Evade detection by unpatching modified files and deleting utilities & scripts after use.
- Clear log files utilizing a utility based on an actor-defined regular expression. It was tracked as THINBLOOD.
SLOWPULSE – A novel malware family
During the investigations of a threat actor, the Mandiant team discovered a novel malware family, which they named SLOWPULSE. The threat actor was using multiple variants of the malware as modifications in order to bypass authentication. They did this by sabotaging the existing authentication flow within the legitimate Pulse Secure shared object libdsplibs.so and either bypassing or logging credentials in it.
The researchers discovered 4 variants of the malware, of which three were used to enable the attacker to bypass the two-factor authentication. The Mandiant report provides detailed information regarding each of the variants.
- Variant 1 – This variant helps the attacker bypass the LDAP & RADIUS-2FA authentication by creating a secret backdoor password. Login credentials used at the beginning of the protocol’s routine are inspected and execution is forced towards the successful authentication patch if the password matched the chosen backdoor password.
- Variant 2 – This is the ACE two-factor Auth Credential Logging variant of the malware that logs the credentials used for the ACE-2FA authentication procedure. The variant doesn’t bypass the authentication altogether, but rather saves the credentials, viz. The username and the password for the future use of the attacker.
- Variant 3 – This variant of the malware helps bypass the ACE-2FA login procedure. The routine responsible for credential verification is bypassed by modifications in the flow of the authentication process if a backdoor password is provided. This modification would allow the attacker to imitate successful authentication.
- Variant 4 – This malware variant is believed to be the two-factor authentication bypass. It helps bypass the RealmSignin Two Factor Auth procedure of the Pulse Secure VPN. The attacker can spoof successful authentication using this variant by inserting a logic modifying the execution flow of a specific step of the login process.
Ivanti has released a set of mitigations in relation to a vulnerability that was exploited in relation to the mentioned malware families. This was done in an effort to help impacted systems recover. They have also released the Pulse Connect Secure Integrity tool to help customers understand if their systems have been affected by the vulnerability. The company has assured that a final patch for the vulnerability will be made available as soon as May 2021.