March 21, 2023

Cybersecurity researchers from FireEye warn once again that Chinese APT groups UNC2630 (APT 5), UNC2717 continue to target Pulse Secure VPN devices to penetrate target networks and deliver malicious web shells to steal sensitive information.

The two hacking groups have exploited the CVE-2021-22893 zero-day vulnerability in Pulse Secure VPN devices to access the networks of US defense contractors and government organizations worldwide.

The Mandiant incident response team investigated multiple security breaches at defense, government, and financial organizations around the world. In all the intrusions, the attackers targeted Pulse Secure VPN appliances in the breached networks and deliver the below WEBSHELLS

  • SLOWPULSE;
  • RADIALPULSE;
  • THINBLOOD;
  • ATRIUM;
  • PACEMAKER;
  • SLIGHTPULSE;
  • PULSECHECK.

The UNC2630 group was harvesting credentials from various Pulse Secure VPN login flows, then used legitimate account credentials to move laterally into the affected environments.

Performing reverse engineering of the FLARE threat, the experts identified four additional malware families that were specifically designed to manipulate Pulse Secure VPN devices. 

  • Bloodmine
  • Bloodbank
  • Cleanpulse
  • Rapidpulse

Mandiant experts discovered that threat actors maintain persistence by compromising the upgrade process on the Pulse Secure Appliance. Threat actors use to modify the legitimate DSUpgrade.pm file to inject the ATRIUM webshell in any system upgrade procedure.

Both UNC2630 and UNC2717 display advanced tradecraft and go to impressive lengths to avoid detection. The actors modify file timestamps and regularly edit or delete forensic evidence such as logs, web server core dumps, and files staged for exfiltration,

They also demonstrate a deep understanding of network appliances and advanced knowledge of a targeted network. This tradecraft can make it difficult for network defenders to establish a complete list of tools used, credentials stolen, the initial intrusion vector, or the intrusion start date.

Tags:

Leave a Reply

Related Post

DotRunpeX – Malware Injector Spreads in Wild

DotRunpeX – Malware Injector Spreads in Wild

March 21, 2023
Killnet Targets Healthcare Azure Resources

Killnet Targets Healthcare Azure Resources

March 21, 2023

You may have missed

DotRunpeX – Malware Injector Spreads in Wild

DotRunpeX – Malware Injector Spreads in Wild

March 21, 2023
Killnet Targets Healthcare Azure Resources

Killnet Targets Healthcare Azure Resources

March 21, 2023
NBA suffers a Data Breach – Third Party Provider Data Stolen

NBA suffers a Data Breach – Third Party Provider Data Stolen

March 21, 2023
Ferrari – Cyber Attack Ransom Demanded

Ferrari – Cyber Attack Ransom Demanded

March 21, 2023
ForgeRock new Passwordless Service

ForgeRock new Passwordless Service

March 20, 2023
New Decryptor for Conti Ransomware Released

New Decryptor for Conti Ransomware Released

March 20, 2023
%d bloggers like this: