It is believed that multiple cyber threat groups that are working to support China’s long-term economic interests are continuing to crack down on networks organized by the defense, high-tech, government, transportation, and financial services sectors of the United States and Europe.
FireEye’s Mandiant team reported this week that it has responded to numerous intrusions, which refer to Chinese threat actors hacking into Pulse Secure VPN devices, allowing them to penetrate the organization’s network and steal sensitive data.
In many cases, attackers use a combination of authentication bypass vulnerabilities in Pulse Connect Secure (PCS) devices (CVE-2021-22893) and previously known vulnerabilities to gain initial access to the victim’s network. The authentication bypass vulnerability was discovered and patched last month, but only after attackers began to exploit it in the wild. However, Mandiant researchers are usually unable to determine the initial access medium because the threat actor deleted or changed the forensic evidence, or the Pulse Secure device itself has destroyed the evidence of the initial intrusion through a software update.
Mandiant’s warning this week that China’s Advanced Persistent Threat (APT) campaign against US and European companies is an update to the warning issued last month on the same issue. In the alert, Mandiant reported that two teams located in China-UNC2630 and UNC2717-used a series of malware tools to target vulnerabilities in Pulse Secure VPN devices. Mandiant said it has observed the organization of US defense industrial bases targeting UNC2630, while UNC2717 has hit an organization in the European Union. The Mandiant report provides an analysis of 12 malware code families, and security vendors say they have observed vulnerabilities in Pulse Secure VPN devices that attackers have used to specifically target.
In this week’s report, Mandiant said that it found four other malware families-Bloodmine, Bloodbank, CleanPulse and RapidPulse, which appear to be specifically designed to exploit vulnerabilities in Pulse Secure VPN devices. Mandiant said that the total number of malware families that have been observed by the Chinese APT group to specifically target Pulse Secure VPN since April last year has reached 16.
Mandiant reverse engineer Stephen Eckels said: “The development activities we have observed are targeting unpatched systems and CVEs in 2019 and 2020, as well as the previously unpatched 2021 CVE (CVE-2021-22893).” Since our original report, Pulse Secure and Mandiant have cooperated, and the zero-day difference has also been repaired. ”
He said that similarly, other vulnerabilities discovered by Pulse Secure’s parent Ivanti during the code review have also been fixed.
Eckels said: “Currently, Pulse Secure has patched all known vulnerabilities.”
Once inside the network, the attacker uses different methods to achieve persistence and lateral movement. In some cases, the attacker has established his own local administrator account on the strategic Windows server and used that account to run freely in the victim’s network. They also specifically use Pulse Secure Webshell and malware to maintain state instead of relying on backdoors on internal endpoints. In certain attacks, threat actors will target individuals with privileged accounts by destroying non-privileged accounts belonging to the same person in advance.
According to Mandiant, UNC2630 and UNC2717 are only two of the multiple threat groups targeting Pulse Secure VPN. These threat groups seem to be working for the benefit of the Chinese government. Several groups use the same set of tools, but their strategies and techniques tend to change.
The main motivation seems to be to collect data that will help China achieve its recent “fourteen five-year plan” goals. Many of the victims came from industries that China considers to be of strategic importance, including high-tech and national defense. Mandiant said it has observed Chinese threats stealing intellectual property through dual use of commercial and military purposes.
At least so far, there is no evidence that threat actors have stolen US data that will give Chinese companies an economic advantage. The 2012 agreement between President Barack Obama and Chinese President Xi Jinping explicitly prohibits cyber espionage involving such data. Ben Read, director of threat intelligence analysis at Mandiant, said, but that doesn’t mean they haven’t yet.
“At present, we cannot say that they have not, but we have no direct evidence that they have violated [the agreement]”, he said. “Some of the affected entities are private companies with commercial intellectual property rights, and their theft will violate the agreement. We just haven’t seen direct evidence that this type of data is being phased or stolen. ”
Mandiant’s report on China’s ferocious ATP activities and Microsoft warned this week that Nobellum had launched an extensive email campaign, and that Nobellum was the Russian threat behind the SolarWinds attack. In both cases, the main motivation seems to be cyber espionage to support national strategic goals.
Jai Vijayan is an experienced technical journalist with more than 20 years of experience in the IT trade news field. He was recently a senior editor at Computerworld, responsible for information security and data privacy issues for the publication.In his 20-year journey…View the full bio