New Malware Tools Created to Exploit Pulse Secure VPN Appliances

New Malware Tools Created to Exploit Pulse Secure VPN Appliances

On April 20, FireEye’s Mandiant cyber forensics team disclosed vulnerabilities in the Pulse Secure’s software that lead to attacks against defense, government, and financial organizations.

Through its Secure Connect and Virtual Private Network solutions, Pulse Secure enables organizations to secure their networks and provide secure access to their systems.

One major vulnerability is CVE-2021-22893 with a CVSS severity score of 10, which could allow unauthenticated attackers to execute arbitrary code through a vulnerable component of Pulse Secure.

Other security flaws disclosed are CVE-2019-11510,CVE-2020-8260,CVE-2020-8243, and CVE-2020-8260 that allow to establish persistence and further compromise vulnerable appliances.

Mandiant, a US-based security firm, detected multiple intrusions exploiting these vulnerabilities that targeted various industries in the US and Europe. The firm believes that China is behind these attacks.

The researchers believe UNC2630 and UNC2717 are the main advanced persistent threat (APT) groups responsible for the attacks, and that they are working for the Chinese government.

Although there were data breaches at many organizations, Mandiant says it has not observed evidence of data theft related to the Obama-Xi agreement:

“Many compromised organizations operate in verticals and industries aligned with Beijing’s strategic objectives outlined in China’s recent 14th Five Year Plan,” Mandiant says. “While there is evidence of data theft at many organizations, we have not directly observed the staging or exfiltration of any data by Chinese espionage actors that could be considered a violation of the Obama-Xi agreement.”

In a report released in February, Mandiant described 12 malware families and tools had weaponized multiple Pulse Secure vulnerabilities. There are now 16 with the discovery of four new malware families; all four are linked to UNC2630: Bloodmine, Bloodbank, Cleanpulse, and Rapidpulse.

In some cases, the Chinese actors removed a number of backdoors, but left persistence patches to make possible exploitation in the future. This demonstrates unusual “concern for operational security and a sensitivity to publicity.”

Chinese cyber espionage has become more sophisticated and less restrained by diplomatic pressures, according to a report released by US intelligence agency Mandiant.

Ivanti, Pulse Secure’s parent company, has released a number of patches and an integrity tool for customers to check their builds for risk.


About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.