CISA-FireEye: 16 malware families from China infect Pulse Secure VPN appliances

Cyber Security News

FireEye CEO Kevin Mandia testifies during a Senate Intelligence Committee hearing on Capitol Hill on February 23, 2021 in Washington, DC. FireEye owns Mandiant, founded by Mandia, which released research about malware exclusively designed to infect Ivanti Pulse Connect Secure VPN appliances. (Photo by Drew Angerer/Getty Images)

FireEye Mandiant, working in in tandem with the Cybersecurity and Infrastructure Security Agency and Ivanti, reported details of 16 malware families exclusively designed to infect Ivanti Pulse Connect Secure VPN appliances, and used by several cyber espionage groups believed to be affiliated with the Chinese government.

The blog post by Mandiant was an update to the company’s original post on April 20, which pointed to vulnerabilities tied to the Pulse Secure VPN devices.

Mathew Hartman, deputy executive assistant director of cybersecurity for CISA, released this statement about the alert CISA released on the issue: “CISA continues to work closely with Ivanti and other private sector partners to better understand the vulnerabilities in Pulse Secure VPN products and mitigate potential risks to public and private sector networks. As in similar circumstances, we released our alert after FireEye’s blog, so we could link to their technical information and provide a single resource to aid network defenders.”

According to yesterday’s blog, Mandiant reported that the compromises involving Pulse Secure’s VPN appliances were at organizations across the defense, government, high tech, transportation and financial sectors in the United States and Europe. The researchers said that the espionage activity by UNC2630 and UNC2717 supports important Chinese government priorities. Many compromised organizations operate in verticals and industries aligned with Beijing’s strategic objectives outlined in China’s recent 14th Five-Year Plan.

While the researchers found evidence of data theft at many organizations, they have not directly observed the staging or exfiltration of any data by Chinese espionage actors that they consider a violation of the Obama-Xi agreement, though the researchers said Chinese cyber espionage activity has demonstrated a higher tolerance for risk and has become less constrained by diplomatic pressures than in the past.

With patches and remediation resources now available to address Pulse Secure software vulnerabilities, there’s little excuse for inaction, said Yaniv Bar-Dayan, co-founder and CEO of Vulcan Cyber. Bar-Dayan said organizations should know that these vulnerabilities are likely being exploited in the wild.

“An exploit of this vulnerability could compromise sensitive, privileged data and an attacker could take control of the affected system,” he said. “Should teams need additional support, there are resources available and best practices they can follow to mitigate the risk from enterprise VPNs.

Dirk Schrader, global vice president, security research at New Net Technologies, added that the technical aspects of the new FireEye Mandiant research are the perfect example for training teams on the cyber kill chain and how it looks like in real life: search for and compromise target, establish base, escalate from base, expand knowledge about target while moving around, and maintain a hidden presence to achieve objectives.

“The fact that the attack on Pulse Secure VPN devices is still successful enough from an attacker’s point of view is an uneasy testament to the role essential cyber hygiene seems to play for organizations using them,” Schrader said. “Critical controls like vulnerability scanning, change control and detection, as recommended by NIST and others would make it harder for attackers. As government systems and those of the Defense Industrial Base are the majority of targets, it seems that the Cybersecurity Maturity Model Certification (CMMC) should get on warp speed.”