Chinese hackers used Pulse Secure VPN zero-day to breach US defense contractors

Two hacking groups, including at least one confirmed Chinese cyber-espionage outfit, have used a new zero-day vulnerability in Pulse Secure VPN equipment to gain a foothold inside the networks of US defense contractors and government organizations across the world.

The attacks were discovered earlier this year by cybersecurity firm FireEye and confirmed by Pulse Secure today in coordinated press releases.

FireEye said the attacks began in August 2020, when the first group, which the company tracks as UNC2630 began targeting US defense contractors and European organizations.

The hackers used a combination of old Pulse Secure VPN bugs, along with a new zero-day—tracked as CVE-2021-22893—, to take over Pulse Secure devices and then install one of seven malware strains (SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK), which acted as web shells and backdoors into the hacked organization.

FireEye said that UNC2630 attacks typically followed the below pattern:

  1. Modify Pulse Secure code to log credentials and bypass authentication flows, including multifactor authentication requirements(via the SLOWPULSE malware).
  2. Inject the RADIALPULSE and PULSECHECK webshells into legitimate Internet-accessible Pulse Secure VPN appliance administrative web pages.
  3. Toggle the filesystem between Read-Only and Read-Write modes to allow for file modification on a typically Read-Only filesystem.
  4. Maintain persistence across VPN appliance general upgrades that are performed by the administrator.
  5. Unpatch modified files and delete utilities and scripts after use to evade detection.
  6. Clear relevant log files utilizing a utility tracked as THINBLOOD based on an actor-defined regular expression.

Second group joins the fold

However, attacks against Pulse Secure devices also expanded in October 2020, when a second group, which FireEye named UNC2717, also began using the same techniques and zero-day to install their own set of malware (HARDPULSE, QUIETPULSE, and PULSEJUMP) on the networks of government agencies in Europe and the US.

While FireEye couldn't formally link the two groups and hacking campaigns, the company noted the "possibility that one or more related groups is responsible for the development and dissemination of these different tools across loosely connected APT actors [state-sponsored hacking groups]."

FireEye said the attacks continued until March 2021, and they also discovered two additional malware strains (bringing the total to 12) that were also used in intrusions, but which the company couldn't definitely link to a specific group.

But while FireEye didn't have any information about the second group, the US security vendor said that based on internal data, UNC2630, the first group, appears to "operate on behalf of the Chinese government and may have ties to APT5," a well-known Chinese cyber-espionage group.

Pulse Secure mitigations available now, patch next month

Ivanti, the company behind the Pulse Secure VPN brand, confirmed FireEye's findings earlier today and also released a security advisory to address CVE-2021-22893.

The advisory contains temporary mitigations to prevent attacks, and a final security update with a full patch will be made available in May.

In addition, the company also released the Pulse Security Integrity Checker Tool, a tool that can scan Pulse Secure VPN servers for signs of compromise for CVE-2021-22893 or other previous vulnerabilities.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.