Friday, March 29, 2024

Chinese APT Threat Actors Hacking Pulse Secure VPN Devices Remotely

The cybersecurity researchers at FireEye’s Mandiant security team have recently unveiled a new variant of malware that is targeting the Pulse Secure VPN devices. 

The devices and solutions offered by Pulse Secure’s virtual private network (VPN) are widely used by several organizations to keep their internal IT networks and systems secure from cyberattacks.

Earlier, the FireEye’s Mandiant team reported 12 different malware families on 20th April 2021 and also claimed that by abusing the vulnerabilities in software the hackers performed cyberattacks against several organizations like the defense, financial, and government.

Moreover, FireEye’s Mandiant security team affirmed that the cyberattacks that are performed by exploiting the vulnerabilities against several organizations in the US and Europe are executed by the Chinese APT hackers.

But, to address these issues, Pulse Secure is closely working with the Mandiant forensic team, all the affected organizations, and users. While Ivanti, it’s the parent company of Pulse Secure has proactively issued updated Security Advisories to assist their customers and address software vulnerabilities.

Abused vulnerabilities

The security flaws that are abused by the hackers are mentioned below:-

  • CVE-2021-22893 (Primary)
  • CVE-2019-11510 (Connected to attacks)
  • CVE-2020-8260 (Connected to attacks)
  • CVE-2020-8243 (Connected to attacks)

Among all these security flaws, the CVE-2021-22893 (PoC) is the primary one, and the hackers abuse this security flaw heavily. The security analysts have marked this vulnerability as severe and it has received a CVSS severity score of 10.

This vulnerability aggravates the Pulse Connect Secure to allow any unauthorized attacker to execute the arbitrary code on the affected system remotely.

Primary APT groups involved

The cybersecurity analysts at Mandiant has claimed that the following APT groups are the primary who are behind these incidents, and here they are mentioned below with their malware families:-

UNC2630

  • Malware family: SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, PULSECHECK, BLOODMINE, BLOODBANK, CLEANPULSE, RAPIDPULSE

UNC2717

  • Malware family: HARDPULSE, QUIETPULSE, PULSEJUMP

Madiant stated that “There are several compromised organizations who work in verticals and industries that are aligned with Beijing’s strategic objectives sketched in 14th Five Year Plan of China. But, at many organizations, there is evidence of data theft, but, we haven’t observed any staging or data exfiltration by the Chinese APT hackers.”

Recommendations

The forensic experts of Madiant have suggested some recommendations to remediate a compromised Pulse Secure device, and here they are mentioned below:-

  • Reset all passwords.
  • Run the Pulse Integrity Checker Tool.
  • Caution must be taken while identifying if a Pulse Secure device was endangered at any previous date.
  • Upgrade to the latest software version.
  • Review logs to monitor unusual activities.
  • Rather than the web interface, users must perform the upgrades from the appliance console to ensure that no malicious logic is replicated to a clean device.
  • Enable secure logging.

Apart from this, initially on April 21st, 2021 the CISA (Cybersecurity and Infrastructure Security Agency) declared an alert about the exploitation of Pulse Connect Secure products publicly.

Website

Latest articles

Beware Of Weaponized Air Force invitation PDF Targeting Indian Defense And Energy Sectors

EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed "Operation FlightNight" targeting Indian government...

WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File

The notorious WarzoneRAT malware has made a comeback, despite the FBI's recent efforts to...

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source...

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation,...

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles