Unpatched security flaws always cause a potential threat to organizations. Cybercriminals often target unpatched vulnerabilities to gain access to victims’ data and networks. Recently, cybersecurity researchers from FireEye revealed that Chinese threat actors are exploiting the vulnerabilities in Pulse Secure’s Virtual Private Network (VPN) and Secure Connect (PSC) devices. Pulse Connect Secure VPN provides TLS and mobile VPN solutions to organizations globally.
The researchers found intrusions by Chinese advanced persistent threat (APT) groups, dubbed UNC2630 and UNC2717, targeting various sectors including government, defense, technology, transport, and financial entities in the U.S. and Europe.
“We now assess that espionage activity by UNC2630 and UNC2717 supports key Chinese government priorities. Many compromised organizations operate in verticals and industries aligned with Beijing’s strategic objectives outlined in China’s recent 14th Five Year Plan. While there is evidence of data theft at many organizations, we have not directly observed the staging or exfiltration of any data by Chinese espionage actors that could be considered a violation of the Obama-Xi agreement,” FireEye said.
Tradecraft of UNC2630 and UNC2717
According to FireEye, both UNC2630 and UNC2717 threat actor groups display advanced tradecraft to avoid detection by modifying file timestamps, edit, or delete forensic evidence like logs, web server core dumps, and files staged for exfiltration.
“They also demonstrate a deep understanding of network appliances and advanced knowledge of a targeted network. This tradecraft can make it difficult for network defenders to establish a complete list of tools used, credentials stolen, the initial intrusion vector, or the intrusion start date,” FireEye added.
Threat actors are inconsistently using a combination of tools and command and control IP addresses with four additional malware families specifically designed to manipulate Pulse Secure devices.
The newly discovered four malware families linked to UNC2630 and UNC2717 include:
- BLOODMINE – A utility for parsing Pulse Secure Connect log files. It extracts information related to logins, message IDs, and web requests and copies the relevant data to another file.
- BLOODBANK – A credential theft utility that parses two files containing password hashes or plaintext passwords and expects an output file to be given at the command prompt.
- CLEANPULSE – A memory patching utility that may be used to prevent certain log events from occurring. It was found in close proximity to an ATRIUM web shell.
- RAPIDPULSE – A web shell capable of arbitrary file read. As is common with other web shells, RAPIDPULSE exists as a modification to a legitimate Pulse Secure file. RAPIDPULSE can serve as an encrypted file downloader for the attacker.
Attackers are leveraging these four malware families to harvest credentials and sensitive system data, allowing arbitrary file execution, and removing forensic evidence.
Warning from CISA
Last month, the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Homeland Security (DHS) warned about the actively exploited vulnerabilities: CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and CVE-2021-22893 in Ivanti Pulse Connect Secure (PCS) VPN appliances on their network systems.