The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive and an Alert AA21-110A which addresses the exploitation involving Pulse Connect Secure VPN software. Pulse Connect Secure VPN is a widely used SSL remote access solution within the U.S. defense sector. The CISA directive orders Federal Civilian Executive Branch agencies to take emergency action: identify instances of the software running within their respective organizations and deploy the Pulse Connect Secure Integrity Tool and run it daily until such time as a patch is available (early-May 2021).
VPN Compromise
Compromises, according to CISA, have “occurred within U.S. government agencies, critical infrastructure entities and other private sector organizations.” CNN reports affected entities include defense companies and financial institutions, and cybersecurity firm FireEye noted that the infection vector has affected members of the U.S. Defense Industrial Base.
Ivanti, the parent company of the Pulse Connect Secure product line said in a security update that they are working with CISA, FireEye, and Stroz Friedberg to investigate and respond to the exploit. In addition, the company is offering a tool for customers to use to test their appliances. Customers can also reach out to Ivanti for testing help and support.
FireEye published their own threat research on the compromises and, as noted, is working in conjunction with Ivanti on mitigating the attack on the VPN software. In their research report FireEye notes how previously known vulnerabilities coupled with a zero-day (previously unknown vulnerability) are responsible for the “infection vector” which is discussed in the CISA directive and alerts.
China Attribution
Attribution for these cyberattacks is given to China, as many of the multiple malware families involved in the compromise of the Pulse Connect Secure have previously been associated with Chinese cyber activities (APT5). APT5 was originally detected in 2014 and 2015 Chinese espionage attacks. Aspects of this compromise had been detected as far back as August 2020.
FireEye explains that APT5’s primary targets are aerospace and defense companies in the U.S., Europe and Asia. Charles Carmakal, senior vice president of Mandiant, a part of FireEye, told Reuters that their analysis is based on a review of tactics, tools, infrastructure, and targets that “… we suspect is aligned with China based initiatives and collections.”
ABC News and Reuters both reported that the Chinese Embassy’s spokesperson in Washington, D.C. Liu Pengyu responded with the message that China “firmly opposes and cracks down on all forms of cyber attacks” calling the attribution “irresponsible and ill-intentioned to accuse a particular party when there is no sufficient evidence around.”
FSO Action
FSO’s know their networks and software used within their network are targets of interest to foreign adversaries, including China. They should ensure their information technology teams are aware of the CISA emergency directive, alert, and the integrity checker tool, as soon as possible.
Emergency Directive – Mitigate Pulse Connect Secure Product Vulnerabilities