Hackers use 0-day in Pulse Secure VPN to attack US Defense contractors
FireEye claims that two hack groups use the 0-day vulnerability in Pulse Secure VPN to attack the networks of US Department of Defense contractors and government organizations around the world.
Experts discovered the attacks earlier this year, and the developers of Pulse Secure VPN have already confirmed the claims of the researchers. According to FireEye, the hacks started way back in August 2020, when the first hack group, which the company tracks as UNC2630, targeted US defense contractors and European organizations.
At that time, hackers used a combination of old bugs in Pulse Secure VPN, as well as a new 0-day vulnerability (CVE-2021-22893) to seize control over Pulse Secure devices, and then install on them SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE or PULSECHECK malware. These malwares acted as web shells and backdoors on the compromised organization’s network.
In October 2020, a second group of hackers joined the attacks; FireEye assigned it the ID UNC2717. This group also used similar methods and a 0-day bug to install their own set of malwares on devices (HARDPULSE, QUIETPULSE, and PULSEJUMP). The attacks of the second group of hackers affected government networks in Europe and the United States.
FireEye has not yet been able to link the two groups and campaigns.
“Perhaps one or more related groups are responsible for developing and distributing various tools to loosely related APTs”, — information security specialists say.
According to experts, the attacks continued until March 2021. During the investigation, analysts were able to find two additional malware samples (bringing the total number of malwares to 12), which were also used for hacking, but the company was unable to unambiguously associate these samples with a specific group of attackers.
While FireEye has almost no information about the second hack group, while internal research suggests that the first UNC2630 group appears to be “acting on behalf of the Chinese government and may have ties to APT5,” a well-known Chinese cyber-espionage group.
Pulse Secure VPN has already released a security bulletin for CVE-2021-22893. The document contains recommendations and temporary measures to prevent attacks, while a full patch for this problem will be available only in May.
The company also introduced the Pulse Security Integrity Checker Tool, which is designed to scan Pulse Secure VPN servers in search of signs of hacking, exploitation of CVE-2021-22893 and other known vulnerabilities.
As I reported before, FireEye said that there are more than 1900 active hacker groups in the world.