The week has barely started and zero-day exploits are already taking the cyberworld by storm. This time the flaws are in Pulse Secure VPN devices.
What’s going on?
Reports published by Pulse Secure and FireEye state that a new zero-day flaw in Pulse Secure VPN equipment has been abused by two hacking groups—UNC2630 and UNC2717—who broke into the networks of U.S. defense contractors and government organizations.
The attack and the attackers
- UNC2630 is a China-linked cyber espionage group and is believed to be tied with APT5, a threat actor probably associated with the Beijing government.
- The group attacked U.S. Defense Industrial Base (DIB) networks with SLOWPULSE, RADIALPULSE, THINBLOOD, PACEMAKER, ATRIUM, PULSECHECK, and SLIGHTPULSE. The attacks ranged from August 2020 and March 2021.
- UNC2717 activities ranged from October 2020 and March 2021 and attacked organizations with PULSEJUMP, QUIETPULSE, and HARDPULSE.
- No evidence has been found to connect this group with other APT groups or government sponsorship.
Why does this matter?
Cyberspies have, time and again, sought out flaws in VPN to make their way into networks. VPN exploits are the go to hack for nation-state hackers due to the reliance of organizations and government agencies on VPN software. The Pulse Connect Secure exploits can potentially be an entry-point to a data-rich network.
How to stay safe
- Use the most recent Pulse Secure Integrity Assurance utility version released in March.
- Install the latest security patches by Pulse Secure.
- Analyze forensic evidence to identify compromised user credentials, if any.
- Reset all passwords in the environment.
The bottom line
UNC2630 has been linked with attacks targeting companies operating in the aerospace and defense sector located in the U.S., Europe, and Asia. Although 24 agencies were found to be utilizing Pulse Connect Secure devices, as of now, the number of affected organizations is yet to be determined. The primary motives of the hackers include establishing persistence in networks, stealing data, and collecting credentials.