China-sponsored threat groups, tracked as UNC2630 and UNC2717, are deploying new malware strains on compromised networks. Recently, the groups have targeted dozens of U.S. and EU organizations after abusing vulnerable Pulse Secure VPN appliances.

What has happened?

A month ago, threat actors were abusing a recently patched zero-day in Pulse Connect Secure gateways. They deployed malware to gain access to networks, collect credentials, and steal proprietary data.
  • UNC2630 installed four new malware strains, bringing the total to 16 malware families custom-tailored for targeting Pulse Secure VPN appliances.
  • These new malware families are Bloodmine, Bloodbank, Cleanpulse, and Rapidpulse. Moreover, old malware families identified as SlowPulse, SlightPulse, and HardPulse, among others, were also put to use.
  • Many of the targeted organizations operate in defense, government, high-tech, transportation, and financial sectors aligning with Beijing's strategic goals mentioned in China's recent 14th Five Year Plan.
  • The threat actors exploited CVE-2021-22893 to target the devices, along with previously disclosed vulnerabilities from 2019 and 2020 (CVE-2019-11510, CVE-2020-8260, and CVE-2020-8243).

Moreover, the threat groups boast of a deep understanding of network appliances and enhanced knowledge of a network they target.

Evading detection

Both UNC2630 and UNC2717 go to impressive lengths to avoid detection.
  • They were found modifying their file timestamps and regularly editing or deleting forensic evidence, for example, web server core dumps, logs, and files staged for exfiltration.
  • Between April 17 and 20, Mandiant incident responders also reported that UNC2630 had accessed dozens of targeted devices and removed webshells but did not remove the persistence patcher, only to regain access when the devices get an upgrade.

This spycraft makes it challenging for network defenders to establish a complete list of tools used, the initial intrusion vector, credentials stolen, or the intrusion start date.

Conclusion

Recent attacks show how advanced tools and techniques have been used by threat actors and highlight their efforts to gain persistence and remain undetected. Looking at the scenario, security agencies need to buckle up for more challenging events and detect such threats at an early stage to stay protected.

Cyware Publisher

Publisher

Cyware