Sunday, May 18, 2025
HomevpnChinese APT Threat Actors Hacking Pulse Secure VPN Devices Remotely

Chinese APT Threat Actors Hacking Pulse Secure VPN Devices Remotely

Published on

SIEM as a Service

Follow Us on Google News

The cybersecurity researchers at FireEye’s Mandiant security team have recently unveiled a new variant of malware that is targeting the Pulse Secure VPN devices. 

The devices and solutions offered by Pulse Secure’s virtual private network (VPN) are widely used by several organizations to keep their internal IT networks and systems secure from cyberattacks.

Earlier, the FireEye’s Mandiant team reported 12 different malware families on 20th April 2021 and also claimed that by abusing the vulnerabilities in software the hackers performed cyberattacks against several organizations like the defense, financial, and government.

- Advertisement - Google News

Moreover, FireEye’s Mandiant security team affirmed that the cyberattacks that are performed by exploiting the vulnerabilities against several organizations in the US and Europe are executed by the Chinese APT hackers.

But, to address these issues, Pulse Secure is closely working with the Mandiant forensic team, all the affected organizations, and users. While Ivanti, it’s the parent company of Pulse Secure has proactively issued updated Security Advisories to assist their customers and address software vulnerabilities.

Abused vulnerabilities

The security flaws that are abused by the hackers are mentioned below:-

  • CVE-2021-22893 (Primary)
  • CVE-2019-11510 (Connected to attacks)
  • CVE-2020-8260 (Connected to attacks)
  • CVE-2020-8243 (Connected to attacks)

Among all these security flaws, the CVE-2021-22893 (PoC) is the primary one, and the hackers abuse this security flaw heavily. The security analysts have marked this vulnerability as severe and it has received a CVSS severity score of 10.

This vulnerability aggravates the Pulse Connect Secure to allow any unauthorized attacker to execute the arbitrary code on the affected system remotely.

Primary APT groups involved

The cybersecurity analysts at Mandiant has claimed that the following APT groups are the primary who are behind these incidents, and here they are mentioned below with their malware families:-

UNC2630

  • Malware family: SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, PULSECHECK, BLOODMINE, BLOODBANK, CLEANPULSE, RAPIDPULSE

UNC2717

  • Malware family: HARDPULSE, QUIETPULSE, PULSEJUMP

Madiant stated that “There are several compromised organizations who work in verticals and industries that are aligned with Beijing’s strategic objectives sketched in 14th Five Year Plan of China. But, at many organizations, there is evidence of data theft, but, we haven’t observed any staging or data exfiltration by the Chinese APT hackers.”

Recommendations

The forensic experts of Madiant have suggested some recommendations to remediate a compromised Pulse Secure device, and here they are mentioned below:-

  • Reset all passwords.
  • Run the Pulse Integrity Checker Tool.
  • Caution must be taken while identifying if a Pulse Secure device was endangered at any previous date.
  • Upgrade to the latest software version.
  • Review logs to monitor unusual activities.
  • Rather than the web interface, users must perform the upgrades from the appliance console to ensure that no malicious logic is replicated to a clean device.
  • Enable secure logging.

Apart from this, initially on April 21st, 2021 the CISA (Cybersecurity and Infrastructure Security Agency) declared an alert about the exploitation of Pulse Connect Secure products publicly.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

VMware ESXi, Firefox, Red Hat Linux & SharePoint Hacked – Pwn2Own Day 2

Security researchers demonstrated their prowess on the second day of Pwn2Own Berlin 2025, discovering...

Critical WordPress Plugin Flaw Puts Over 10,000 Sites of Cyberattack

A serious security flaw affecting the Eventin plugin, a popular event management solution for...

Sophisticated NPM Attack Leverages Google Calendar2 for Advanced Communication

A startling discovery in the npm ecosystem has revealed a highly sophisticated malware campaign...

New Ransomware Attack Targets Elon Musk Supporters Using PowerShell to Deploy Payloads

A newly identified ransomware campaign has emerged, seemingly targeting supporters of Elon Musk through...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

SonicWall SMA1000 Vulnerability Allow Attackers to Exploit Encoded URLs To Remotely Gain Internal Systems Access

SonicWall has issued a critical security advisory (SNWLID-2025-0010) for its SMA1000 Appliance Work Place...

Intruder vs. Acunetix vs. Attaxion: Comparing Vulnerability Management Solutions

The vulnerability management market is projected to reach US$24.08 billion by 2030, with numerous...

CISA Alerts on Active Exploitation of Zero-Day Vulnerability in Multiple Fortinet Products

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding...