Cybersecurity researchers from FireEye warn once again that Chinese APT groups UNC2630 (APT 5), UNC2717 continue to target Pulse Secure VPN devices to penetrate target networks and deliver malicious web shells to steal sensitive information.

The two hacking groups have exploited the CVE-2021-22893 zero-day vulnerability in Pulse Secure VPN devices to access the networks of US defense contractors and government organizations worldwide.

The Mandiant incident response team investigated multiple security breaches at defense, government, and financial organizations around the world. In all the intrusions, the attackers targeted Pulse Secure VPN appliances in the breached networks and deliver the below WEBSHELLS

  • SLOWPULSE;
  • RADIALPULSE;
  • THINBLOOD;
  • ATRIUM;
  • PACEMAKER;
  • SLIGHTPULSE;
  • PULSECHECK.

The UNC2630 group was harvesting credentials from various Pulse Secure VPN login flows, then used legitimate account credentials to move laterally into the affected environments.

Performing reverse engineering of the FLARE threat, the experts identified four additional malware families that were specifically designed to manipulate Pulse Secure VPN devices. 

  • Bloodmine
  • Bloodbank
  • Cleanpulse
  • Rapidpulse

Mandiant experts discovered that threat actors maintain persistence by compromising the upgrade process on the Pulse Secure Appliance. Threat actors use to modify the legitimate DSUpgrade.pm file to inject the ATRIUM webshell in any system upgrade procedure.

Both UNC2630 and UNC2717 display advanced tradecraft and go to impressive lengths to avoid detection. The actors modify file timestamps and regularly edit or delete forensic evidence such as logs, web server core dumps, and files staged for exfiltration, 

They also demonstrate a deep understanding of network appliances and advanced knowledge of a targeted network. This tradecraft can make it difficult for network defenders to establish a complete list of tools used, credentials stolen, the initial intrusion vector, or the intrusion start date.