Hackers Attack Corporate Networks via Zero-day Vulnerability at Pulse Connect Secure


In total, experts have identified 12 malware families associated with attacks on Pulse Secure VPN.

Cybercriminals attack corporate networks through a zero-day vulnerability in Pulse Connect Secure gateways ( CVE-2021-22893 ) for which a patch has not yet been released. According to experts of the information security company FireEye, at least two hacker groups exploit the vulnerability to attack defense, government and financial organizations in the United States and other countries.

According to the researchers from FireEye, attackers are using a new vulnerability discovered in April 2021, along with already known vulnerabilities, to gain initial access to corporate networks. In total, experts identified 12 malware families associated with attacks on Pulse Secure VPN installations.

The aforementioned hacker groups, UNC2630 and UNC2717, are responsible for attacks on the networks of the US defense industrial base and the European organization, respectively. Experts associate UNC2630 with the Chinese government and suggest that it is related to the APT5 hacker group. The group carried out attacks from August to October 2020, when UNC2717 came into play. The second group exploited the vulnerability to deploy custom malware samples on the networks of government organizations in Europe and the United States.

Malware related to UNC2630: SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE and PULSECHECK. UNC2717 related malware: HARDPULSE, QUIETPULSE and PULSEJUMP. Two additional malware families, STEADYPULSE and LOCKPICK, deployed during the attacks were not associated with a specific group due to lack of information.

By exploiting vulnerabilities in Pulse Secure VPN ( CVE-2019-11510 , CVE-2020-8260, CVE-2020-8243, and CVE-2021-22893), the UNC2630 group stole credentials and used them to navigate the attacked environment. In order to gain persistence on the compromised network, hackers used modified versions of legitimate Pulse Secure code and scripts to execute arbitrary commands and inject web shells.