Security News > 2021 > May > Chinese Cyber Espionage Hackers Continue to Target Pulse Secure VPN Devices
Cybersecurity researchers from FireEye unmasked additional tactics, techniques, and procedures adopted by Chinese threat actors who were recently found abusing Pulse Secure VPN devices to drop malicious web shells and exfiltrate sensitive information from enterprise networks.
FireEye's Mandiant threat intelligence team, which is tracking the cyberespionage activity under two threat clusters UNC2630 and UNC2717, said the intrusions lines up with key Chinese government priorities, adding "Many compromised organizations operate in verticals and industries aligned with Beijing's strategic objectives outlined in China's recent 14th Five Year Plan.".
On April 20, the cybersecurity firm disclosed 12 different malware families, including STEADYPULSE and LOCKPICK, that have been designed with the express intent to infect Pulse Secure VPN appliances and put to use by several cyberespionage groups believed to be affiliated with the Chinese government.
UNC2630 - SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK. UNC2717 - HARDPULSE, QUIETPULSE, AND PULSEJUMP. FireEye's continued investigation into the attacks as part of its incident response efforts has uncovered four more malware families deployed by UNC2630 - BLOODMINE, BLOODBANK, CLEANPULSE, and RAPIDPULSE - for purposes of harvesting credentials and sensitive system data, allowing arbitrary file execution, and removing forensic evidence.
The threat actors were also observed removing web shells, ATRIUM, and SLIGHTPULSE, from dozens of compromised VPN devices between April 17 and April 20 in what the researchers describe as "Unusual," suggesting "This action displays an interesting concern for operational security and a sensitivity to publicity."
At the heart of these intrusions lies CVE-2021-22893, a recently patched vulnerability in Pulse Secure VPN devices that the adversaries exploited to gain an initial foothold on the target network, using it to steal credentials, escalate privileges, conduct internal reconnaissance by moving laterally across the network, before maintaining long-term persistent access, and accessing sensitive data.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/pal-DqduGaI/chinese-cyber-espionage-hackers.html
Related news
- Chinese Hackers Exploiting Ivanti VPN Flaws to Deploy New Malware (source)
- U.S. Charges 7 Chinese Nationals in Major 14-Year Cyber Espionage Operation (source)
- Two Chinese APT Groups Ramp Up Cyber Espionage Against ASEAN Countries (source)
- Microsoft Warns: North Korean Hackers Turn to AI-Fueled Cyber Espionage (source)
- State-sponsored hackers know enterprise VPN appliances inside out (source)
- Chinese State Hackers Target Tibetans with Supply Chain, Watering Hole Attacks (source)
- South Korean Citizen Detained in Russia on Cyber Espionage Charges (source)
- Chinese Earth Krahang hackers breach 70 orgs in 23 countries (source)
- CISA shares critical infrastructure defense tips against Chinese hackers (source)
- A “cascade” of errors let Chinese hackers into US government inboxes (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-04-23 | CVE-2021-22893 | Use After Free vulnerability in Ivanti Connect Secure 9.0/9.1 Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. | 10.0 |