Chinese Cyberspies UNC2630 Targeting US and EU Organizations

Chinese Cyberspies UNC2630 Targeting US and EU Organizations

China-sponsored threat groups, tracked as UNC2630 and UNC2717, are deploying new malware strains on compromised networks. Recently, the groups have targeted dozens of U.S. and EU organizations after abusing vulnerable Pulse Secure VPN appliances.

What has happened?

A month ago, threat actors were abusing a recently patched zero-day in Pulse Connect Secure gateways. They deployed malware to gain access to networks, collect credentials, and steal proprietary data.
UNC2630 installed four new malware strains, bringing the total to 16 malware families custom-tailored for targeting Pulse Secure VPN appliances.
These new malware families are Bloodmine, Bloodbank, Cleanpulse, and Rapidpulse. Moreover, old malware families identified as SlowPulse, SlightPulse, and HardPulse, among others, were also put to use.
Many of the targeted organizations operate in defense, government, high-tech, transportation, and financial sectors aligning with Beijing's strategic goals mentioned in China's recent 14th Five Year Plan.
The threat actors exploited CVE-2021-22893 to target the devices, along with previously disclosed vulnerabilities from 2019 and 2020 (CVE-2019-11510, CVE-2020-8260, and CVE-2020-8243).

Moreover, the threat groups boast of a deep understanding of network appliances and enhanced knowledge of a network they target.

Evading detection

Both UNC2630 and UNC2717 go to impressive lengths to avoid detection.

They were found modifying their file timestamps and regularly editing or ..

Support the originator by clicking the read the rest link below.