China-linked APT used Pulse Secure VPN zero-day to hack US defense contractors

At least one China-linked APT group exploited a new zero-day flaw in Pulse Secure VPN equipment to break into the networks of US defense contractors.

According to coordinated reports published by FireEye and Pulse Secure, two hacking groups have exploited a new zero-day vulnerability in Pulse Secure VPN equipment to break into the networks of US defense contractors and government organizations worldwide.

The statement reveals that one of the two hacking groups was a China-linked cyber espionage group.

The attacks were first discovered by the cybersecurity firm FireEye early this year, when the Mandiant incident response team investigated multiple security breaches at defense, government, and financial organizations around the world. In all the intrusions, the attackers targeted Pulse Secure VPN appliances in the breached networks.

“In many cases, we were not able to determine how actors obtained administrator-level access to the appliances. However, based on analysis by Ivanti, we suspect some intrusions were due to the exploitation of previously disclosed Pulse Secure vulnerabilities from 2019 and 2020 while other intrusions were due to the exploitation of CVE-2021-22893.” reads the report published by FireEye.

The attacks began in August 2020, when a group tracked by FireEye as UNC2630, began targeting US defense contractors and European organizations. Threat actors leveraged Pulse Secure VPN bugsdisclosed in 2019 and 2020, along with a new zero-day tracked as CVE-2021-22893.

“A vulnerability was discovered under Pulse Connect Secure (PCS).  This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk to your deployment.” reads the advisory published by Pulse Secure.

The vendor also released a tool that can scan Pulse Secure VPN servers for signs of compromise for CVE-2021-22893 or other previous vulnerabilities.

Experts reported that the threat actors leveraged the above issued to deliver one of the following backdoors and webshells:


The UNC2630 group was harvesting credentials from various Pulse Secure VPN login flows, then used legitimate account credentials to move laterally into the affected environments.

“In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance.” continues the report. “This was done to accomplish the following:

  1. Trojanize shared objects with malicious code to log credentials and bypass authentication flows, including multifactor authentication requirements. We track these trojanized assemblies as SLOWPULSE and its variants.
  2. Inject webshells we currently track as RADIALPULSE and PULSECHECK into legitimate Internet-accessible Pulse Secure VPN appliance administrative web pages for the devices.
  3. Toggle the filesystem between Read-Only and Read-Write modes to allow for file modification on a typically Read-Only filesystem.
  4. Maintain persistence across VPN appliance general upgrades that are performed by the administrator.
  5. Unpatch modified files and delete utilities and scripts after use to evade detection.
  6. Clear relevant log files utilizing a utility tracked as THINBLOOD based on an actor defined regular expression.

Starting from October 2020, a second group tracked by FireEye as UNC2717 started exploiting the same zero-day flaw to install the following malware on the networks of government agencies in Europe and the US:


In March 2021, FireEye investigated a separate intrusion attributed to the UNC2717 threat actors that used RADIALPULSE, PULSEJUMP, and HARDPULSE to penetrate a European organization. These malware strains have many similarities with other code families used by UNC2630.

At the time of this writing it is not clear if the two groups are linked, but experts speculate the involvement of other groups.

“Due to a lack of context and forensic evidence at this time, Mandiant cannot associate all the code families described in this report to UNC2630 or UNC2717. We also note the possibility that one or more related groups is responsible for the development and dissemination of these different tools across loosely connected APT actors” continues the report.

FireEye revealed that the analysis of internal data confirmed that UNC2630 group was China-linked cyber espionage group linked to the APT5.

The advisory published by FireEye includes recommendations, detections and mitigations.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini AuthorPierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine

Similar Posts