Chinese APT Groups continue to pound away on Pulse Secure VPNs

Multiple cyberthreat groups believed to be working in support of China’s long-term economic interests are continuing to hammer away at networks belonging to organizations across the defense, high-tech, government, transportation, and financial services sectors in the US and Europe.

FireEye’s Mandiant group this week reported it had responded to numerous intrusions where China-based threat actors compromised Pulse Secure VPN appliances to break into an organization’s network and steal sensitive data.

In many instances, the attackers took advantage of an authentication bypass vulnerability in the Pulse Connect Secure (PCS) appliance (CVE-2021-22893) and a combination of previously known vulnerabilities to gain initial access on a victim network. The authentication bypass flaw was discovered and patched last month — but only after attackers had begun exploiting it in the wild. However, Mandiant researchers were often unable to determine an initial access vector, because the threat actors deleted or altered forensic evidence or the Pulse Secure appliance itself had gone through software updates that destroyed evidence of initial compromise.

Mandiant’s warning this week on the advanced persistent threat (APT) activity from China targeted at US and European companies is an update to a warning it had issued last month on the same issue. In that alert, Mandiant had reported on two China-based groups — UNC2630 and UNC2717 — using a battery of malware tools to target vulnerabilities in Pulse Secure VPN appliances. Mandiant said it had observed UNC2630 targeting organizations in the US defense industrial base and UNC2717 hitting an organization in the EU. The Mandiant report offered an analysis of 12 malware code families that the security vendor said it had observed the attackers using to specifically target vulnerabilities in Pulse Secure VPN appliances.

In this week’s report, Mandiant said it had uncovered four additional malware families — Bloodmine, Bloodbank, CleanPulse and RapidPulse — that appear specifically designed to exploit vulnerabilities in Pulse Secure VPN devices. That brings the total number of malware families that Mandiant says it has observed Chinese APT groups using to specifically target Pulse Secure VPNs since last April to 16.

To read the complete article, visit Dark Reading.