APTs Go Teleworking: The Rise of VPN Exploits

The talk focuses on investigating VPN device compromises, specifically the Pulse Secure VPN technology, and providing best practices for incident response and securing gatekeepers.

• Misuse of Pulse Secure VPN devices by suspected Chinese-nexus threat actors for cyber espionage
• 16 unique malware families observed in the wild, exclusively designed to operate on Pulse Secure VPN appliances
• Bypassing multi-factor authentication and performing credential theft
• Employing anti-forensics and removal of VPN device log files
• Performing lateral movement into private networks and accessing Microsoft 365 public cloud environments or targeting virtual environments using stolen credentials
• Best practices for digital forensics and incident responses based on Mandiant's intrusions investigated
• Securing VPN gatekeepers

The talk highlights the importance of aggressively patching VPN devices, even if it results in downtime, as attackers can gain remote control over these devices and perform lateral movement into private networks. Additionally, attackers can bypass multi-factor authentication and perform credential theft, making it crucial to use reverse proxies or web application firewalls. Organizations should also prepare for VPN device compromises and be familiar with performing investigations.

Since the COVID-19 pandemic, workforces rely even more on VPN technologies for remote access into private networks.Pulse Secure by Ivanti is a leading VPN technology. Enterprise VPN devices often are deployed at the intersection between trusted and untrusted networks and secured using multi-factor authentication and integration with Active Directory.In April 2021, Mandiant detailed the misuse of Pulse Secure VPN devices, including by suspected Chinese-nexus threat actors for cyber espionage. Mandiant observed the use of a zero-day CVE 2021-22893 to compromise fully patched Pulse Secure appliances, as well as re-use of previously disclosed vulnerabilities.Attackers not only gained remote control over VPN devices at a wide variety of victims across the United States and Europe but also:1) Deployed a total of 16 unique malware families observed in the wild, exclusively designed to operate on Pulse Secure VPN appliances, including a variety of webshells and modifications to weaken cryptographic libraries2) Bypass multi-factor authentication and perform credential theft3) Employed anti-forensics and removal of VPN device log files, including altering deployed backdoors after Mandiant's public disclosure in April 20214) Perform lateral movement into private networks, as well as accessing Microsoft 365 public cloud environments or targeting virtual environments using stolen credentialsAs an incident responder advising organizations dealing with these intrusions, this talk focuses on investigation aspects of VPN device compromises:1) Challenges on VPN device compromises and detection of misuse, and why this remained undetected2) Overview of the campaign, malware and the threat actor identified familiar with the Pulse Secure platform, from a European perspective3) Best practices on digital forensics and incident responses, based upon Mandiant's intrusions investigated4) Knowing organizations continue to rely on VPN technology, how do we secure these gatekeepers?