Sunday, December 3, 2023

Chinese APT Threat Actors Hacking Pulse Secure VPN Devices Remotely

The cybersecurity researchers at FireEye’s Mandiant security team have recently unveiled a new variant of malware that is targeting the Pulse Secure VPN devices. 

The devices and solutions offered by Pulse Secure’s virtual private network (VPN) are widely used by several organizations to keep their internal IT networks and systems secure from cyberattacks.

Earlier, the FireEye’s Mandiant team reported 12 different malware families on 20th April 2021 and also claimed that by abusing the vulnerabilities in software the hackers performed cyberattacks against several organizations like the defense, financial, and government.

Moreover, FireEye’s Mandiant security team affirmed that the cyberattacks that are performed by exploiting the vulnerabilities against several organizations in the US and Europe are executed by the Chinese APT hackers.

But, to address these issues, Pulse Secure is closely working with the Mandiant forensic team, all the affected organizations, and users. While Ivanti, it’s the parent company of Pulse Secure has proactively issued updated Security Advisories to assist their customers and address software vulnerabilities.

Abused vulnerabilities

The security flaws that are abused by the hackers are mentioned below:-

  • CVE-2021-22893 (Primary)
  • CVE-2019-11510 (Connected to attacks)
  • CVE-2020-8260 (Connected to attacks)
  • CVE-2020-8243 (Connected to attacks)

Among all these security flaws, the CVE-2021-22893 (PoC) is the primary one, and the hackers abuse this security flaw heavily. The security analysts have marked this vulnerability as severe and it has received a CVSS severity score of 10.

This vulnerability aggravates the Pulse Connect Secure to allow any unauthorized attacker to execute the arbitrary code on the affected system remotely.

Primary APT groups involved

The cybersecurity analysts at Mandiant has claimed that the following APT groups are the primary who are behind these incidents, and here they are mentioned below with their malware families:-

UNC2630

  • Malware family: SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, PULSECHECK, BLOODMINE, BLOODBANK, CLEANPULSE, RAPIDPULSE

UNC2717

  • Malware family: HARDPULSE, QUIETPULSE, PULSEJUMP

Madiant stated that “There are several compromised organizations who work in verticals and industries that are aligned with Beijing’s strategic objectives sketched in 14th Five Year Plan of China. But, at many organizations, there is evidence of data theft, but, we haven’t observed any staging or data exfiltration by the Chinese APT hackers.”

Recommendations

The forensic experts of Madiant have suggested some recommendations to remediate a compromised Pulse Secure device, and here they are mentioned below:-

  • Reset all passwords.
  • Run the Pulse Integrity Checker Tool.
  • Caution must be taken while identifying if a Pulse Secure device was endangered at any previous date.
  • Upgrade to the latest software version.
  • Review logs to monitor unusual activities.
  • Rather than the web interface, users must perform the upgrades from the appliance console to ensure that no malicious logic is replicated to a clean device.
  • Enable secure logging.

Apart from this, initially on April 21st, 2021 the CISA (Cybersecurity and Infrastructure Security Agency) declared an alert about the exploitation of Pulse Connect Secure products publicly.

Website

Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Booking.com Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles