AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching

["US-CERT" <US-CERT () ncas us-cert gov>]

Cybersecurity and Infrastructure Security Agency Logo

National Cyber Awareness System:



AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching [ 
https://www.us-cert.gov/ncas/alerts/aa20-107a ] 04/16/2020 09:21 AM EDT 
Original release date: April 16, 2020

Summary

"*Note: * This Activity Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework. 
See the ATT&CK for Enterprise [ https://attack.mitre.org/matrices/enterprise/ ] framework for all referenced threat 
actor techniques and mitigations."

This Alert provides an update to Cybersecurity and Infrastructure Security Agency (CISA) Alert AA20-010A: Continued 
Exploitation of Pulse Secure VPN Vulnerability [ https://www.us-cert.gov/ncas/alerts/aa20-010a ], which advised 
organizations to immediately patch CVE-2019-11510an arbitrary file reading vulnerability affecting Pulse Secure virtual 
private network (VPN) appliances.[1] [ https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101 ] CISA is 
providing this update to alert administrators that threat actors who successfully exploited CVE-2019-11510 and stole a 
victim organizations credentials will still be able to accessand move laterally throughthat organizations network after 
the organization has patched this vulnerability if the organization did not change those stolen credentials.

This Alert provides new detection methods for this activity, including a CISA-developed tool [ 
https://github.com/cisagov/check-your-pulse ] that helps network administrators search for indicators of compromise 
(IOCs) associated with exploitation of CVE-2019-11510. This Alert also provides mitigations for victim organizations to 
recover from attacks resulting from CVE-2019-11510. CISA encourages network administrators to remain aware of the 
ramifications of exploitation of CVE-2019-11510 and to apply the detection measures and mitigations provided in this 
report to secure networks against these attacks.

For a downloadable copy of IOCs, see STIX file [ 
https://www.us-cert.gov/sites/default/files/publications/AA20-107A_IOCs(WHITE).stix.xml ].

Background

CISA has conducted multiple incident response engagements at U.S. Government and commercial entities where malicious 
cyber threat actors have exploited CVE-2019-11510an arbitrary file reading vulnerability affecting Pulse Secure VPN 
appliancesto gain access to victim networks. Although Pulse Secure released patches for CVE-2019-11510 in April 
2019,[2] [ https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101 ] CISA has observed incidents where 
compromised Active Directory credentials were used months after the victim organization patched their VPN appliance.

Technical Details

CISA determined that cyber threat actors have been able to obtain plaintext Active Directory credentials after gaining 
"Initial Access" [TA0001] [ https://attack.mitre.org/tactics/TA0001/ ] to a victim organizations network via VPN 
appliances. Cyber threat actors used these "Valid Accounts" [T1078] [ https://attack.mitre.org/techniques/T1078/ ] in 
conjunction with:


  * "External Remote Services" [T1133] [ https://attack.mitre.org/techniques/T1133 ] for access, 
  * "Remote Services" [T1021] [ https://attack.mitre.org/techniques/T1021 ] for "Lateral Movement "[TA0008] [ 
https://attack.mitre.org/tactics/TA0008/ ] to move quickly throughout victim network environments, and 
  * "Data Encrypted for Impact" [T1486 ] [ https://attack.mitre.org/techniques/T1486 ] for impact, as well as 
  * "Exfiltration "[TA0010] [ https://attack.mitre.org/tactics/TA0010/ ] and sale of the data. 

Initial Access

CVE-2019-11510 is a pre-authentication arbitrary file read vulnerability affecting Pulse Secure VPN appliances. A 
remote attacker can exploit this vulnerability to request arbitrary files from a VPN server. The vulnerability occurs 
because directory traversal is hard coded to be allowed if the path contains dana/html5/acc.[3] [ 
https://twitter.com/XMPPwocky/status/1164874297690611713/photo/1 ],[4] [ 
https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848
 ] For example, a malicious cyber actor can obtain the contents of /etc/passwd [5] [ 
https://github.com/BishopFox/pwn-pulse/blob/master/pwn-pulse.sh ] by requesting the following uniform resource 
identifier (URI):

https://vulnvpn.example[.]com/dana-na/../dana/html5/acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/

Obtaining the contents of /etc/passwd gives the attacker access to basic information about local system accounts. This 
request was seen in the proof of concept (POC) code for this exploit on Github [ 
https://github.com/BishopFox/pwn-pulse/blob/master/pwn-pulse.sh ]. An attacker can also leverage the vulnerability to 
access other files that are useful for remote exploitation. By requesting the data.mdb object, an attacker can leak 
plaintext credentials of enterprise users.[6] [ https://www.exploit-db.com/exploits/47297 ],[7] [ 
https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11 ],[8] [ 
https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848
 ]

Open-source reporting indicates that cyber threat actors can exploit CVE-2019-11510 to retrieve encrypted passwords;[9] 
[ 
https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?tab=comments#comment-887
 ] however, CISA has not observed this behavior. By reviewing victim VPN appliance logs, CISA has noted cyber threat 
actors crafting requests that request files that allow for "Credential Dumping" [T1003] [ 
https://attack.mitre.org/techniques/T1003 ] plaintext passwords from the VPN appliance.

Test Environment

To confirm the open-source reporting and validate what the cyber threat actors had access to, CISA used a test 
environment to send crafted requests. CISA used requests found both in proof-of-concept, open-source code and in 
requests from the logs of compromised victims. By doing so, CISA confirmed that plaintext Active Directory credentials 
were leaked and that it was possible to leak the local admin password to the VPN appliance. (See figure 1.)

Figure 1: Exploitation of the VPN appliance leading to plaintext local admin credentials

CISAs test environment consisted of a domain controller (DC) running Windows Server 2016, an attacker machine, and a 
Pulse Secure VPN appliance version 9.0R3 (build 64003). CISA connected the attacker machine to the external interface 
of the Pulse Secure VPN appliance and the DC to the internal interface.

CISA created three accounts for the purpose of validating the ability to compromise them by exploiting CVE-2019-11510.


  * Local Pulse Secure Admin account 
  * Username: admin; Password: pulse-local-password 

  * Domain Administrator Account 
  * Username: Administrator; Password: domain-admin-password1 

  * CISA-test-user Account 
  * Username: cisa-test-user; Password: Use_s3cure_passwords 

*Note:* the URI CISA tested to leak Pulse Secure VPN user credentials has not been publicly released, so CISA has 
redacted it from this Alert.

After creating the accounts, CISA joined the VPN appliance to the test environment domain, making a point not to cache 
the domain administrator password. (See figure 2.)

Figure 2: VPN appliance joined to the domain without caching the domain administrator password

CISA used a similar file inclusion to test the ability to "Credential Dump "[T1003] [ 
https://attack.mitre.org/techniques/T1003 ] the domain administrator password. CISA determined it was possible to leak 
the domain administrator password that was used to join the device to the domain without saving the credentials. Refer 
to figure 3 for the URI string tested by CISA. *Note:* the URI is partially redacted.

Figure 3: Exploitation of the VPN appliance leading to cleartext domain admin credentials

Next, CISA validated the ability to "Credential Dump "[T1003] [ https://attack.mitre.org/techniques/T1003 ] a user 
password from the VPN appliance. To do this, CISA created a "user realm "(Pulse Secure configuration terminology) and 
configured its roles/resource groups to allow for Remote Desktop Protocol (RDP) over HTML5 (Apache Guacamole). After 
using the new user to remotely access an internal workstation over RDP, CISA used a crafted request (see figure 4) to 
leak the credentials from the device. (*Note:* the path to stored credentials is publicly available.)[10] [ 
https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11 ]

Figure 4: Exploitation of the VPN appliance leading to plaintext user credentials

This test confirmed CISAs suspicion that threat actors had access to each of the various compromised environments.

Cyber Threat Actor Behavior in Victim Network Environments

CISA observedonce credentials were compromisedcyber threat actors accessing victim network environments via the Pulse 
Secure VPN appliances. Cyber threat actors used "Connection Proxies "[T1090 ] [ 
https://attack.mitre.org/techniques/T1090 ]such as Tor infrastructure and virtual private servers (VPSs)to minimize the 
chance of detection when they connected to victim VPN appliances.

Using traditional host-based analysis, CISA identified the following malicious cyber actor actions occurring in a 
victims environment:


  * Creating persistence via scheduled tasks/remote access trojans 
  * Amassing files for exfiltration 
  * Executing ransomware on the victims network environment 

By correlating these actions with the connection times and user accounts recorded in the victims Pulse Secure .access 
logs, CISA was able to identify unauthorized threat actor connections to the victims network environment. CISA was then 
able to use these Internet Protocol (IP) addresses and user-agents to identify unauthorized connections to the network 
environments of other victims. Refer to the Indicators of Compromise section for the IP addresses CISA observed making 
these unauthorized connections.

In one case, CISA observed a cyber threat actor attempting to sell the stolen credentials after 30 unsuccessful 
attempts to connect to the customer environment to escalate privileges and drop ransomware. CISA has also observed this 
threat actor successfully dropping ransomware at hospitals and U.S. Government entities.

In other cases, CISA observed threat actors leveraging tools, such as LogMeIn and TeamViewer, for persistence. These 
tools would enable threat actors to maintain access to the victims network environment if they lost their primary 
connection.

Initial Detection

Conventional antivirus and endpoint detection and response solutions did not detect this type of activity because the 
threat actors used legitimate credentials and remote services.

An intrusion detection system may have noticed the exploitation of CVE-2019-11510 if the sensor had visibility to the 
external interface of the VPN appliance (possible in a customers demilitarized zone) and if appropriate rules were in 
place. Heuristics in centralized logging may have been able to detect logins from suspicious or foreign IPs, if 
configured.

Post-Compromise Detection and IOC Detection Tool

Given that organizations that have applied patches for CVE-2019-11510 may still be at risk for exploitation from 
compromises that occurred pre-patch, CISA developed detection methods for organizations to determine if their patched 
VPN appliances have been targeted by the activity revealed in this report.

To detect past exploitation of CVE-2019-11510, network administrators should:


  * Turn on unauthenticated log requests (see figure 5). (*Note:* there is a risk of overwriting logs with 
unauthenticated requests so, if enabling this feature, be sure to frequently back up logs; if possible, use a remote 
syslog server.) 

Figure 5: Checkbox that enables logging exploit attacks
 
  * Check logs for exploit attempts. To detect lateral movement, system administrators should look in the logs for 
strings such as ../../../data (see figure 6). 

Figure 6: Strings for detection of lateral movement
 
  * Manually review logs for unauthorized sessions and exploit attempts, especially sessions originating from 
unexpected geo-locations. 
  * Run CISAs IOC detection tool. CISA developed a tool that enables administrators to triage logs (if authenticated 
request logging is turned on) and automatically search for IOCs associated with exploitation of CVE-2019-11510. CISA 
encourages administrators to visit CISAs GitHub page [ https://github.com/cisagov/check-your-pulse ] to download and 
run the tool. While not exhaustive, this tool may find evidence of attempted compromise. 

Indicators of Compromise

CISA observed IP addresses making unauthorized connections to customer infrastructure. (*Note:* these IPs were observed 
as recently as February 15, 2020.) The IP addresses seen making unauthorized connections to customer infrastructure 
were different than IP addresses observed during initial exploitation. Please see the STIX file below for IPs.

CISA observed the following user agents with this activity:


  * Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0 
  * Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 
  * Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55[.]0.2883.87 Safari/537.36 

CISA also observed:


  * A cyber threat actor renaming portable executable (PE) files in an attempt to subvert application whitelisting or 
antivirus (AV) protections. See table 1 for hashes of files used. 
  * A threat actor living off the land and utilizing C:\Python\ArcGIS to house malicious PE files, as well as using 
natively installed Python. 
  * A threat actor attack infrastructure: 38.68.36(dot)112 port 9090 and 8088 

Table 1: Filenames and hashes of files used by a threat actor

Filename MD5 t.py (tied to scheduled task, python meterpreter reverse shell port 9090) 5669b1fa6bd8082ffe306aa6e597d7f5 
g.py (tied to scheduled task, python meterpreter reverse shell port 8088) 61eebf58e892038db22a4d7c2ee65579 



For a downloadable copy of IOCs, see STIX file [ 
https://www.us-cert.gov/sites/default/files/publications/AA20-107A_IOCs(WHITE).stix.xml ].



Mitigations

CISA strongly urges organizations that have not yet done so to upgrade their Pulse Secure VPN to the corresponding 
patches for CVE-2019-11510. Ifafter applying the detection measures in this alertorganizations detect evidence of 
CVE-2019-11510 exploitation, CISA recommends changing passwords for all Active Directory accounts, including 
administrators and services accounts.

CISA also recommends organizations to:


  * Look for unauthorized applications and scheduled tasks in their environment. 
  * Remove any remote access programs not approved by the organization. 
  * Remove any remote access trojans. 
  * Carefully inspect scheduled tasks for scripts or executables that may allow an attacker to connect to an 
environment. 

If organizations find evidence of malicious, suspicious, or anomalous activity or files, they should consider reimaging 
the workstation or server and redeploying back into the environment. CISA recommends performing checks to ensure the 
infection is gone even if the workstation or host has been reimaged.

Contact Information

Recipients of this report are encouraged to contribute any additional information that they may have related to this 
threat. For any questions related to this report, please contact CISA at


  * Phone: (888) 282-0870 
  * Email: CISAServiceDesk () cisa dhs gov [ https://www.us-cert.govmailto:CISAServiceDesk () cisa dhs gov ] 

References

  * [1] Pulse Secure Advisory SA44101  [ https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101 ] 
  * [2] Pulse Secure Advisory SA44101 [ https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101 ] 
  * [3] Twitter. @XMPPwocky. (2019, August 23). Your least favorite construct  [ 
https://twitter.com/XMPPwocky/status/1164874297690611713/photo/1 ] 
  * [4] OpenSecurity Forums. Public vulnerability discussion. (2019, August 23).  [ 
https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848
 ] 
  * [5] GitHub. BishopFox / pwn-pulse.  [ https://github.com/BishopFox/pwn-pulse/blob/master/pwn-pulse.sh ] 
  * [6] File disclosure in Pulse Secure SSL VPN (Metasploit)  [ https://www.exploit-db.com/exploits/47297 ] 
  * [7] Twitter. @alyssa_herra  [ https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11 ] 
  * [8] OpenSecurity Forums. Public vulnerability discussion. (2019, August 23).  [ 
https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848
 ] 
  * [9] OpenSecurity Forums. Public vulnerability discussion. (2019, August 31).  [ 
https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?tab=comments#comment-887
 ] 
  * [10] Twitter. @alyssa_herra [ https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11 ] 

Revisions

  * April 16, 2020: Initial Version 
________________________________________________________________________

This product is provided subject to this Notification [ https://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ https://www.dhs.gov/privacy-policy ] policy.

body { font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight: normal; font-style: normal; color: 
#333333; } ________________________________________________________________________

A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have 
questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a 
notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () 
ncas us-cert gov to your address book. 

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ]  

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]