China-linked APT groups targets orgs via Pulse Secure VPN devices

Pierluigi Paganini May 28, 2021

Researchers from FireEye warn that China-linked APT groups continue to target Pulse Secure VPN devices to compromise networks.

Cybersecurity researchers from FireEye warn once again that Chinese APT groups continue to target Pulse Secure VPN devices to penetrate target networks and deliver malicious web shells to steal sensitive information.

FireEye monitored the activities of two threat clusters, tracked as UNC2630 and UNC2717, that compromised organizations operate in verticals and industries. Experts pointed out that the victims operate in verticals and industries aligned with Beijing’s strategic objectives as outlined in China’s 14th Five Year Plan.

According to coordinated reports published by FireEye and Pulse Secure in April, the two hacking groups have exploited the CVE-2021-22893 zero-day vulnerability in Pulse Secure VPN devices to access the networks of US defense contractors and government organizations worldwide.

The statement reveals that one of the two hacking groups was a China-linked cyber espionage group, the analysis of internal data confirmed that UNC2630 group was operating under the control of the China-linked APT5.

The attacks were first discovered by the cybersecurity firm FireEye early this year, when the Mandiant incident response team investigated multiple security breaches at defense, government, and financial organizations around the world. In all the intrusions, the attackers targeted Pulse Secure VPN appliances in the breached networks.

Pulse Secure VPN China

Experts reported that the threat actors leveraged the above issued to deliver one of the following backdoors and webshells:

  • SLOWPULSE;
  • RADIALPULSE;
  • THINBLOOD;
  • ATRIUM;
  • PACEMAKER;
  • SLIGHTPULSE;
  • PULSECHECK.

The UNC2630 group was harvesting credentials from various Pulse Secure VPN login flows, then used legitimate account credentials to move laterally into the affected environments.

“Mandiant continues to gather evidence and respond to intrusions involving compromises of Pulse Secure VPN appliances at organizations across the defense, government, high tech, transportation, and financial sectors in the U.S. and Europe.” reads the report published by FireEye. “Mandiant Threat Intelligence assesses that Chinese cyber espionage activity has demonstrated a higher tolerance for risk and is less constrained by diplomatic pressures than previously characterized.”

Performing reverse engineering of the FLARE threat, the experts identified four additional malware families that were specifically designed to manipulate Pulse Secure VPN devices. 

Malware FamilyDescriptionActor
BLOODMINE BLOODMINE is a utility for parsing Pulse Secure Connect log files. It extracts information related to logins, Message IDs and Web Requests and copies the relevant data to another file.UNC2630
BLOODBANK BLOODBANK is a credential theft utility that parses two files containing password hashes or plaintext passwords and expects an output file to be given at the command prompt.UNC2630
CLEANPULSE CLEANPULSE is a memory patching utility that may be used to prevent certain log events from occurring. It was found in close proximity to an ATRIUM webshell.UNC2630
RAPIDPULSE RAPIDPULSE is a webshell capable of arbitrary file read. As is common with other webshells, RAPIDPULSE exists as a modification to a legitimate Pulse Secure file. RAPIDPULSE can serve as an encrypted file downloader for the attacker.UNC2630

Table 1: New malware families identified

Mandiant experts discovered that threat actors maintain persistence by compromising the upgrade process on the Pulse Secure Appliance. Threat actors use to modify the legitimate DSUpgrade.pm file to inject the ATRIUM webshell in any system upgrade procedure.

Between April 17 and April 20, the threat actors were observed removing ATRIUM and SLIGHTPULSE web shells from dozens of compromised VPN devices. The move is “unusual” and suggests this action displays an interesting concern for operational security and a sensitivity to publicity.

“Both UNC2630 and UNC2717 display advanced tradecraft and go to impressive lengths to avoid detection. The actors modify file timestamps and regularly edit or delete forensic evidence such as logs, web server core dumps, and files staged for exfiltration,” the concludes the report. “They also demonstrate a deep understanding of network appliances and advanced knowledge of a targeted network. This tradecraft can make it difficult for network defenders to establish a complete list of tools used, credentials stolen, the initial intrusion vector, or the intrusion start date.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Pulse Secure VPN)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment