Threat actors are exploiting Pulse Secure zero-day to hack into organizations across the world

Threat actors are exploiting Pulse Secure zero-day to hack into organizations across the world

At least two hacker groups have been leveraging critical vulnerabilities in Pulse Secure VPN devices, as well as a zero-day flaw in cyber attacks against defense, government, and financial organizations in the U.S and other countries.

According to security advisories released by FireEye’s Mandiant team and Pulse Secure, in the observed attacks malicious actors leveraged several Pulse Secure vulnerabilities patched in 2019 and 2020 (CVE-2019-11510, CVE-2020-8243) and a previously unknown bug, tracked as CVE-2021-22893, to bypass multi-factor authentication protections and get access to enterprise networks.

“A combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, CVE-2021-22893, are responsible for the initial infection vector,” FireEye said.

According to the cybersecurity firm, the attacks started in August 2020 when the first group, known as UNC2630, began targeting US defense contractors and European organizations.

The researchers believe that UNC2630 is working on behalf of the Chinese government and may have ties to another China-linked espionage actor tracked as APT5 based on "strong similarities to historic intrusions dating back to 2014 and 2015."

FireEye is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices which are able to circumvent authentication and have backdoor capabilities. However, these malware families are not necessarily related to each other, FireEye noted.

The list of malware families includes:

UNC2630: SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK

UNC2717: HARDPULSE, QUIETPULSE, AND PULSEJUMP

Two additional malware families, STEADYPULSE and LOCKPICK, used in the attacks, have not been attributed to any threat actor due to lack of evidence.

“We observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance,” FireEye noted.

Pulse Secure’s parent company, Ivanti, provided temporary mitigations to prevent attacks, and the final patch is expected to be released in May 2021.

Back to the list

Latest Posts

Cyber Security Week in Review: April 11, 2025

Cyber Security Week in Review: April 11, 2025

In brief: Microsoft fixes yet another Windows zero-day, Russian hackers continue to target military missions, and more.
11 April 2025
Hackers exploited zero-day flaw in Gladinet CentreStack software since March

Hackers exploited zero-day flaw in Gladinet CentreStack software since March

The issue stems from a hardcoded machineKey in the web application’s configuration file.
10 April 2025
Intelligence agencies warn of Chinese spyware targeting Taiwan, Tibetan rights advocates

Intelligence agencies warn of Chinese spyware targeting Taiwan, Tibetan rights advocates

The advisory focuses on two spyware families, dubbed ‘BadBazaar’ and ‘Moonshine’ masquerading as seemingly legitimate apps.
9 April 2025
Popular Posts
Featured vulnerabilities
Privilege escalation in Taegis Endpoint Agent for Debian Linux
Low Patched | 12 Apr, 2025
Privilege escalation in Palo Alto GlobalProtect app on Windows
Low Patched | 11 Apr, 2025
OS Command Injection in Palo Alto Cortex XDR Broker VM
Low Patched | 11 Apr, 2025
Denial of service in Palo Alto Cortex XDR Agent
Low Patched | 11 Apr, 2025
OS Command Injection in TP-Link Deco BE65 Pro
Medium Patched | 11 Apr, 2025