FireEye researchers are tracking a campaign where the threat actors are exploiting a zero-day bug in Pulse Connect Secure gateway to breach government and corporate networks. The bug in Pulse Connect lets hackers bypass the authentication means and install malware on their network, so they can steal the login credentials and move laterally for further exploitation.
Zero-day Bug in Pulse Connect Gateway
Researchers at a cybersecurity firm called FireEye reported a campaign, where at least two threat actors are actively exploiting a zero-day bug found in Pulse Connect Secure gateway. Tracked as CVE-2021-22893, this zero-day bug is an authentication vulnerability that didn’t have a patch yet.
This bug combined with others vulnerabilities in the Pulse VPN devices can be used for deep exploitation of the network. As per FireEye, two threat groups labeled as UNC2630 and UNC2717 are attacking a number of institutions in several countries. The first one, UNC2630 is linked to be acting on behalf of the Chinese government since having attributes of APT5 and targeting the US Defense Industrial Base.
Attacks by this threat group are said to be in working since August 2020 and expanded to evolve as UNC2717 and continue attacking government agencies in the US and UK. The attacks were said to be happening at least till March 2021, where they’re installing custom malware in the compromised networks for possible reconnaissance purposes.
Researchers listed out various malware families being dumped into the compromised networks by these two threat actors;
- UNC2630 – SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK
- UNC2717 – HARDPULSE, QUIETPULSE, AND PULSEJUMP
Now, they warn that by using various other vulnerabilities in the Pulse Secure VPNs (like CVE-2019-11510, CVE-2020-8260, and CVE-2020-8243), hackers can obtain the login credentials and use them lateral movement across the network. Further, they’re said to be using legitimate Pulse Secure binaries and scripts for performing file operations and running malicious code.
While a patch for this bug is in working, Ivanti, the maker of Pulse Connect Secure has suggested temporary mitigations to safeguard the network. The bug was given a severity score of 10 (maximum) and is recommended to be patched when the PCS Server version 9.1R.11.4 update is made available, in early May this year.
Other Trending News:- News