US defense firms targeted by Chinese hackers

For six months, it’s been a surge d’intrusions which affects the servers of governmental, financial or even defense-related organizations around the world and more particularly in the United States. Noticed by Mandiant, a company specializing in cybersecurity, this vague precisely targets the vulnerabilities of the VPN Pulse Secure which is widely used by these organizations and companies. They exploited a loophole zero day, that is to say which had never been identified, in order to bypass the authentication to two factors to enter the servers of companies and target organizations. From that point on, they can install their payloads which will remain active and allow remote control over the servers to be maintained despite VPN security updates. According to Mandiant, this flaw dubbed CVE-2021-22893 has been exploited by several groups of hackers. In all, twelve malware families revolve around these vulnerabilities related to VPN Pulse Secure.

Chinese government-linked hacker groups

Among the actors in these attacks, Mandiant claims to have uncovered evidence that links one of the hacker groups to the Chinese government. Nicknamed UNC2630, this new, hitherto unknown team appears to have ties to a Chinese hacker group operating since 2007 and identified as APT5. He is known for his ties to the Chinese government. Another team called UNC2717 could also come from APT5.

The famous fault zero-day benefits from a patch that Ivanti, the parent company of Pulse Secure, has just released. A patch that theUS cybersecurity agency (Cisa) urges to apply immediately. But Mandiant also notes that, aside from this vulnerability, hackers are still exploiting vulnerabilities that have already been identified and sealed for the past two years. As is often the case, it is the lack of updates in organizations and companies that is the cause and source of these intrusions.