21 April 2021

Threat actors are exploiting Pulse Secure zero-day to hack into organizations across the world


Threat actors are exploiting Pulse Secure zero-day to hack into organizations across the world

At least two hacker groups have been leveraging critical vulnerabilities in Pulse Secure VPN devices, as well as a zero-day flaw in cyber attacks against defense, government, and financial organizations in the U.S and other countries.

According to security advisories released by FireEye’s Mandiant team and Pulse Secure, in the observed attacks malicious actors leveraged several Pulse Secure vulnerabilities patched in 2019 and 2020 (CVE-2019-11510, CVE-2020-8243) and a previously unknown bug, tracked as CVE-2021-22893, to bypass multi-factor authentication protections and get access to enterprise networks.

“A combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, CVE-2021-22893, are responsible for the initial infection vector,” FireEye said.

According to the cybersecurity firm, the attacks started in August 2020 when the first group, known as UNC2630, began targeting US defense contractors and European organizations.

The researchers believe that UNC2630 is working on behalf of the Chinese government and may have ties to another China-linked espionage actor tracked as APT5 based on "strong similarities to historic intrusions dating back to 2014 and 2015."

FireEye is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices which are able to circumvent authentication and have backdoor capabilities. However, these malware families are not necessarily related to each other, FireEye noted.

The list of malware families includes:

UNC2630: SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK

UNC2717: HARDPULSE, QUIETPULSE, AND PULSEJUMP

Two additional malware families, STEADYPULSE and LOCKPICK, used in the attacks, have not been attributed to any threat actor due to lack of evidence.

“We observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance,” FireEye noted.

Pulse Secure’s parent company, Ivanti, provided temporary mitigations to prevent attacks, and the final patch is expected to be released in May 2021.

Back to the list

Latest Posts

One of the US’ largest pipelines halts operations after a ransomware attack

One of the US’ largest pipelines halts operations after a ransomware attack

The "DarkSide" criminal group is believed to be behind the ransomware attack.
10 May 2021
TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

The attacks were highly targeted and delivered to less than 10 victims around the world, including large diplomatic organizations in South-East Asia and Africa.
10 May 2021
A bio research institute got infected with Ryuk ransomware because of pirated software

A bio research institute got infected with Ryuk ransomware because of pirated software

The student who wouldn’t pay for licensed software unwittingly opened a door to the ransomware.
10 May 2021