Saturday, January 18, 2025
HomevpnChinese APT Threat Actors Hacking Pulse Secure VPN Devices Remotely

Chinese APT Threat Actors Hacking Pulse Secure VPN Devices Remotely

Published on

SIEM as a Service

Follow Us on Google News

The cybersecurity researchers at FireEye’s Mandiant security team have recently unveiled a new variant of malware that is targeting the Pulse Secure VPN devices. 

The devices and solutions offered by Pulse Secure’s virtual private network (VPN) are widely used by several organizations to keep their internal IT networks and systems secure from cyberattacks.

Earlier, the FireEye’s Mandiant team reported 12 different malware families on 20th April 2021 and also claimed that by abusing the vulnerabilities in software the hackers performed cyberattacks against several organizations like the defense, financial, and government.

Moreover, FireEye’s Mandiant security team affirmed that the cyberattacks that are performed by exploiting the vulnerabilities against several organizations in the US and Europe are executed by the Chinese APT hackers.

But, to address these issues, Pulse Secure is closely working with the Mandiant forensic team, all the affected organizations, and users. While Ivanti, it’s the parent company of Pulse Secure has proactively issued updated Security Advisories to assist their customers and address software vulnerabilities.

Abused vulnerabilities

The security flaws that are abused by the hackers are mentioned below:-

  • CVE-2021-22893 (Primary)
  • CVE-2019-11510 (Connected to attacks)
  • CVE-2020-8260 (Connected to attacks)
  • CVE-2020-8243 (Connected to attacks)

Among all these security flaws, the CVE-2021-22893 (PoC) is the primary one, and the hackers abuse this security flaw heavily. The security analysts have marked this vulnerability as severe and it has received a CVSS severity score of 10.

This vulnerability aggravates the Pulse Connect Secure to allow any unauthorized attacker to execute the arbitrary code on the affected system remotely.

Primary APT groups involved

The cybersecurity analysts at Mandiant has claimed that the following APT groups are the primary who are behind these incidents, and here they are mentioned below with their malware families:-

UNC2630

  • Malware family: SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, PULSECHECK, BLOODMINE, BLOODBANK, CLEANPULSE, RAPIDPULSE

UNC2717

  • Malware family: HARDPULSE, QUIETPULSE, PULSEJUMP

Madiant stated that “There are several compromised organizations who work in verticals and industries that are aligned with Beijing’s strategic objectives sketched in 14th Five Year Plan of China. But, at many organizations, there is evidence of data theft, but, we haven’t observed any staging or data exfiltration by the Chinese APT hackers.”

Recommendations

The forensic experts of Madiant have suggested some recommendations to remediate a compromised Pulse Secure device, and here they are mentioned below:-

  • Reset all passwords.
  • Run the Pulse Integrity Checker Tool.
  • Caution must be taken while identifying if a Pulse Secure device was endangered at any previous date.
  • Upgrade to the latest software version.
  • Review logs to monitor unusual activities.
  • Rather than the web interface, users must perform the upgrades from the appliance console to ensure that no malicious logic is replicated to a clean device.
  • Enable secure logging.

Apart from this, initially on April 21st, 2021 the CISA (Cybersecurity and Infrastructure Security Agency) declared an alert about the exploitation of Pulse Connect Secure products publicly.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....

New Tool Unveiled to Scan Hacking Content on Telegram

A Russian software developer, aided by the National Technology Initiative, has introduced a groundbreaking...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

PoC Exploit Released for Ivanti Connect Secure RCE Vulnerability

A serious security flaw has been identified in Ivanti Connect Secure, designated as CVE-2025-0282, which...