Security News > 2021 > May > Chinese Cyber Espionage Hackers Continue to Target Pulse Secure VPN Devices
Cybersecurity researchers from FireEye unmasked additional tactics, techniques, and procedures adopted by Chinese threat actors who were recently found abusing Pulse Secure VPN devices to drop malicious web shells and exfiltrate sensitive information from enterprise networks.
FireEye's Mandiant threat intelligence team, which is tracking the cyberespionage activity under two threat clusters UNC2630 and UNC2717, said the intrusions lines up with key Chinese government priorities, adding "Many compromised organizations operate in verticals and industries aligned with Beijing's strategic objectives outlined in China's recent 14th Five Year Plan.".
On April 20, the cybersecurity firm disclosed 12 different malware families, including STEADYPULSE and LOCKPICK, that have been designed with the express intent to infect Pulse Secure VPN appliances and put to use by several cyberespionage groups believed to be affiliated with the Chinese government.
UNC2630 - SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK. UNC2717 - HARDPULSE, QUIETPULSE, AND PULSEJUMP. FireEye's continued investigation into the attacks as part of its incident response efforts has uncovered four more malware families deployed by UNC2630 - BLOODMINE, BLOODBANK, CLEANPULSE, and RAPIDPULSE - for purposes of harvesting credentials and sensitive system data, allowing arbitrary file execution, and removing forensic evidence.
The threat actors were also observed removing web shells, ATRIUM, and SLIGHTPULSE, from dozens of compromised VPN devices between April 17 and April 20 in what the researchers describe as "Unusual," suggesting "This action displays an interesting concern for operational security and a sensitivity to publicity."
At the heart of these intrusions lies CVE-2021-22893, a recently patched vulnerability in Pulse Secure VPN devices that the adversaries exploited to gain an initial foothold on the target network, using it to steal credentials, escalate privileges, conduct internal reconnaissance by moving laterally across the network, before maintaining long-term persistent access, and accessing sensitive data.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/pal-DqduGaI/chinese-cyber-espionage-hackers.html
Related news
- Chinese hackers targeted sanctions office in Treasury attack (source)
- US sanctions Chinese company linked to Flax Typhoon hackers (source)
- Chinese hackers also breached Charter and Windstream networks (source)
- US Treasury hack linked to Silk Typhoon Chinese state hackers (source)
- Russia-Linked Hackers Target Kazakhstan in Espionage Campaign with HATVIBE Malware (source)
- Hackers leak configs and VPN credentials for 15,000 FortiGate devices (source)
- US sanctions Chinese firm, hacker behind telecom and Treasury hacks (source)
- Trump 'waved a white flag to Chinese hackers' as Homeland Security axed cyber advisory boards (source)
- GamaCopy Mimics Gamaredon Tactics in Cyber Espionage Targeting Russian Entities (source)
- How Lazarus Group built a cyber espionage empire (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-04-23 | CVE-2021-22893 | Use After Free vulnerability in Ivanti Connect Secure 9.0/9.1 Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. | 10.0 |