skip to Main Content

Cyber Espionage, Pulse Connect Secure flaws exploited by APTs

FireEye: Pulse Connect Secure flaws exploited by APTs. UNC2630 and UNC2717 use the CVE-2021-22893 to spy US and European government, defense, and financial organizations

Pulse Connect Secure (PCS) has a dangerous authentication by-pass vulnerability, the CVE-2021-22893, which can allow an unauthenticated user to perform remote arbitrary file execution on the gateway via specific vectors. It has been unveiled by the developer itself. Moreover, it has been exploited in the wild together with other bugs by suspected state-sponsored threat actors to hack the networks of dozens of US and European government, defense, and financial organizations. According to FireEye cybersecurity experts, at least two threat actors, UNC2630 and UNC2717, have been deploying 12 malware strains, including SLOWPULSE, in these attacks to harvest credentials. This, to use them to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance.

Back To Top