This report is about the exploitation campaign affecting the Pulse Secure vpn appliance by two different threat actor groups. Successful exploitation of the vulnerability CVE-2021-22893 and some older software bugs provides the bad actor with the ability to gain legitimate privileged access to the network remotely. The two groups involved in this campaign are UNC2630 and UNC2717 with some indication of nation state level involvement. CVE-2021-22893 affects the following software releases: PCS 9.0R3/9.1R1 and higher. There is currently a patch in the works for CVE-2021-22893 labelled by the vendor as Pulse Connect Secure server software version 9.1R.11.4.
Tactics, Techniques, and Procedures
The first malware family utilized in this campaign is referred to by the security community as SLOWPULSE and has multiple variants with slightly different attack flows. SLOWPULSE is designed to modify legitimate Pulse Secure files. The end goal is to either bypass or log user credentials using the legitimate shared object libdsplibs.so. It often hijacks the LDAP process during the bind routine to perform a check against the backdoor password. The legitimate credentials are copied into the memory cave before the bind process starts. After the bind process is completed, the copied password becomes the new backdoor password before it rejoins the legitimate authentication process at the bind checking status phase. When there’s 2FA (Two-Factor Authentication) involved the malware will capture the packet sent to verify the user’s identity and overwrite the packet to be successful while it logs into the appliance. Any logging functionality involves capturing the user credentials during the LDAP checking process to place the credentials into a log file.
SLOWPULSE is designed to modify the file libdsplibs.so to bypass certain authentication mechanisms within the LDAP and RADIUS protocols. The file hardcodes a backdoor key that will subvert any authentication failures. The vpn connection is only successful if the correct backdoor key is passed on. The malware has specified malicious logic to operate as a passive observer waiting for two different routines to occur applying separate logic depending on the routine being used in the environment. The routines targeted by the malware are: DSAuth::LDAPAuthServer::authenticate and DSAuth::RadiusAuthServer::checkUsernamePassword.
The attacker utilizes two malicious toolsets to maintain long term persistence on the Pulse Secure appliance called ARTRIUM and the QUIETPULSE Utility Script. ARTRIUM operates as a web shell built to inspect every web request to find the HTTP query parameter id. Once the query parameter is confirmed to exist, the malicious logic executes it using the system API. The persistence mechanism lies in the ARTRIUM persistence patcher script engineered to ensure none of the various web shells used in the campaign: ATRIUM, STEADYPULSE, and PULSECHECK are removed during a legitimate system upgrade. The script has injected commands that will pack malicious files and directories into a .tar.gz file. It will also copy files into the /tmp/ and /tmp/data/ directories. The script can then unpack the malicious components after the upgrade process has been completed. QUIETPULSE uses injected code in the legitimate file dsserver which is a perl script. The modifications cause dsserver to fork the child process to the QUIETPULSE Utility Script which is located at /home/bin/dshelper. The shell script is used to copy files and execute commands on the system. Dshelper will often access the /tmp/data file path during a system upgrade. The script has a timer set to execute four different checks every two minutes. These checks involve searching for file locations and moving data around the infected appliance.
The vulnerability CVE-2021-22893 allows a remote unauthenticated attacker to perform code execution using unknown vectors. An attacker looking to exploit this vulnerability will want to have an Internet accessible web portal. It’s theorized by the security community that web requests for URIs formed like this: ^/+dana/+meeting may lead to a successful exploitation attempt.
Business Unit Impact
- May lead to the compromise of sensitive high-value user credentials.
- May result in the propagation of malware in the environment as legitimate software binaries are injected with or outright replace by malicious code.
- Allows a resourceful bad actor to bypass your authentication mechanisms including multifactor authentication.
It is highly encouraged that you implement the workaround linked below from the vendor. You can use a load balancing device capable of SSL decryption to block the following URIs:
It may be prudent of you to use the FireEye Github page linked below to perform proactive blocks on your perimeter devices as a precautionary measure. If you want to check for signs of a compromise, consider running the Pulse Connect Secure (PCS) Integrity Assurance Tool linked below.
- Detection/SIEM Rules: https://github.com/fireeye/pulsesecure_exploitation_countermeasures
- Vendor Links:
- Integrity Tool: https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.