"Attackers Are Exploiting Zero-Day in Pulse Secure VPNs to Breach Orgs"

Researchers at FireEye Mandiant have warned of the exploitation of one zero-day vulnerability and several old flaws in widely deployed Pulse Connect Secure (PCS) Virtual Private Network (VPN) devices to compromise defense, government, and financial organizations. According to PCS Chief Security Officer Phil Richards, software updates for addressing the zero-day vulnerability will be released in early May. Until then, workarounds have been offered to mitigate the risk of that flaw's exploitation. A tool was also released to help defenders check if their systems have been impacted. FireEye Mandiant found that threat actors have been exploiting four PCS vulnerabilities and using 12 malware families to evade authentication as well as obtain backdoor access to targeted devices. The hacking campaigns behind the attacks are labeled as UNC2630 and UNC2717. It is suspected that UNC2630 is working on behalf of the Chinese government, while the government or APT group behind UNC2717 remains unknown. The researchers observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows. This allowed the actor to use legitimate account credentials to move laterally into impacted networks. In addition, the actor used modified Pulse Secure binaries and scripts on the VPN appliance to maintain persistence. This article continues to discuss the exploitation of PCS VPN device vulnerabilities to breach organizations. 

Help Net Security reports "Attackers Are Exploiting Zero-Day in Pulse Secure VPNs to Breach Orgs"