Tuesday, May 28, 2024

Chinese APT Threat Actors Hacking Pulse Secure VPN Devices Remotely

The cybersecurity researchers at FireEye’s Mandiant security team have recently unveiled a new variant of malware that is targeting the Pulse Secure VPN devices. 

The devices and solutions offered by Pulse Secure’s virtual private network (VPN) are widely used by several organizations to keep their internal IT networks and systems secure from cyberattacks.

Earlier, the FireEye’s Mandiant team reported 12 different malware families on 20th April 2021 and also claimed that by abusing the vulnerabilities in software the hackers performed cyberattacks against several organizations like the defense, financial, and government.

Moreover, FireEye’s Mandiant security team affirmed that the cyberattacks that are performed by exploiting the vulnerabilities against several organizations in the US and Europe are executed by the Chinese APT hackers.

But, to address these issues, Pulse Secure is closely working with the Mandiant forensic team, all the affected organizations, and users. While Ivanti, it’s the parent company of Pulse Secure has proactively issued updated Security Advisories to assist their customers and address software vulnerabilities.

Abused vulnerabilities

The security flaws that are abused by the hackers are mentioned below:-

  • CVE-2021-22893 (Primary)
  • CVE-2019-11510 (Connected to attacks)
  • CVE-2020-8260 (Connected to attacks)
  • CVE-2020-8243 (Connected to attacks)

Among all these security flaws, the CVE-2021-22893 (PoC) is the primary one, and the hackers abuse this security flaw heavily. The security analysts have marked this vulnerability as severe and it has received a CVSS severity score of 10.

This vulnerability aggravates the Pulse Connect Secure to allow any unauthorized attacker to execute the arbitrary code on the affected system remotely.

Primary APT groups involved

The cybersecurity analysts at Mandiant has claimed that the following APT groups are the primary who are behind these incidents, and here they are mentioned below with their malware families:-

UNC2630

  • Malware family: SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, PULSECHECK, BLOODMINE, BLOODBANK, CLEANPULSE, RAPIDPULSE

UNC2717

  • Malware family: HARDPULSE, QUIETPULSE, PULSEJUMP

Madiant stated that “There are several compromised organizations who work in verticals and industries that are aligned with Beijing’s strategic objectives sketched in 14th Five Year Plan of China. But, at many organizations, there is evidence of data theft, but, we haven’t observed any staging or data exfiltration by the Chinese APT hackers.”

Recommendations

The forensic experts of Madiant have suggested some recommendations to remediate a compromised Pulse Secure device, and here they are mentioned below:-

  • Reset all passwords.
  • Run the Pulse Integrity Checker Tool.
  • Caution must be taken while identifying if a Pulse Secure device was endangered at any previous date.
  • Upgrade to the latest software version.
  • Review logs to monitor unusual activities.
  • Rather than the web interface, users must perform the upgrades from the appliance console to ensure that no malicious logic is replicated to a clean device.
  • Enable secure logging.

Apart from this, initially on April 21st, 2021 the CISA (Cybersecurity and Infrastructure Security Agency) declared an alert about the exploitation of Pulse Connect Secure products publicly.

Website

Latest articles

GNOME Remote Desktop Vulnerability Let Attackers Read Login Credentials

GNOME desktop manager was equipped with a new feature which allowed remote users to...

Kesakode: A Remote Hash Lookup Service To Identify Malware Samples

Today marks a significant milestone for Malcat users with the release of version 0.9.6,...

Cisco Firepower Vulnerability Let Attackers Launch SQL Injection Attacks

 A critical vulnerability has been identified in Cisco Firepower Management Center (FMC) Software's web-based...

Hackers Exploit WordPress Plugin to Steal Credit Card Data

Hackers have exploited an obscure WordPress plugin to inject malware into websites, specifically targeting...

Google Patches Chrome Zero-Day: Type Confusion in V8 JavaScript

Google has released a patch for a zero-day exploit in its Chrome browser.The...

Hackers Created Rogue VMs in Recent MITRE’s Cyber Attack

State-sponsored hackers recently exploited vulnerabilities in MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE).They...

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles