Security News > 2021 > May > Chinese Cyber Espionage Hackers Continue to Target Pulse Secure VPN Devices
Cybersecurity researchers from FireEye unmasked additional tactics, techniques, and procedures adopted by Chinese threat actors who were recently found abusing Pulse Secure VPN devices to drop malicious web shells and exfiltrate sensitive information from enterprise networks.
FireEye's Mandiant threat intelligence team, which is tracking the cyberespionage activity under two threat clusters UNC2630 and UNC2717, said the intrusions lines up with key Chinese government priorities, adding "Many compromised organizations operate in verticals and industries aligned with Beijing's strategic objectives outlined in China's recent 14th Five Year Plan.".
On April 20, the cybersecurity firm disclosed 12 different malware families, including STEADYPULSE and LOCKPICK, that have been designed with the express intent to infect Pulse Secure VPN appliances and put to use by several cyberespionage groups believed to be affiliated with the Chinese government.
UNC2630 - SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK. UNC2717 - HARDPULSE, QUIETPULSE, AND PULSEJUMP. FireEye's continued investigation into the attacks as part of its incident response efforts has uncovered four more malware families deployed by UNC2630 - BLOODMINE, BLOODBANK, CLEANPULSE, and RAPIDPULSE - for purposes of harvesting credentials and sensitive system data, allowing arbitrary file execution, and removing forensic evidence.
The threat actors were also observed removing web shells, ATRIUM, and SLIGHTPULSE, from dozens of compromised VPN devices between April 17 and April 20 in what the researchers describe as "Unusual," suggesting "This action displays an interesting concern for operational security and a sensitivity to publicity."
At the heart of these intrusions lies CVE-2021-22893, a recently patched vulnerability in Pulse Secure VPN devices that the adversaries exploited to gain an initial foothold on the target network, using it to steal credentials, escalate privileges, conduct internal reconnaissance by moving laterally across the network, before maintaining long-term persistent access, and accessing sensitive data.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/pal-DqduGaI/chinese-cyber-espionage-hackers.html
Related news
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)
- Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign (source)
- Hackers Weaponize Visual Studio Code Remote Tunnels for Cyber Espionage (source)
- US says Chinese hackers breached multiple telecom providers (source)
- Chinese Hackers Use CloudScout Toolset to Steal Session Cookies from Cloud Services (source)
- Microsoft: Chinese hackers use Quad7 botnet to steal credentials (source)
- Sophos reveals 5-year battle with Chinese hackers attacking network devices (source)
- Sophos Versus the Chinese Hackers (source)
- FBI Seeks Public Help to Identify Chinese Hackers Behind Global Cyber Intrusions (source)
- Reminder: China-backed crews compromised 'multiple' US telcos in 'significant cyber espionage campaign' (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-04-23 | CVE-2021-22893 | Use After Free vulnerability in Ivanti Connect Secure 9.0/9.1 Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. | 10.0 |