Cyber Threat Report: 'Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day'

Report Author	Mandiant
Publication Date	2021-04-20
Original Reporting	Source
Attributed to Nation	China
Related Intrusion Sets	UNC2717 , UNC2630
Identified CVEs	CVE-2021-22893
Victim Sectors	Financial Services, National Government, Defense

Reporting from Mandiant which discusses the exploitation of Pulse Secure VPN devices in 2021 and 12 malware families associated with the campaign. The report identifies activities associated with at lease two distinct intrusion sets: UNC2717 and UNC2630.

Cyber Threat Graph Context

Explore how this report relates to the wider threat graph

Mitigations to defend against the techniques in this report

Identified MITRE ATT&CK Techniques

ATT&CK ID	Title	Associated Tactics
T1136	Create Account	Persistence
T1057	Process Discovery	Discovery
T1070.001	Clear Windows Event Logs	Defense Evasion
T1574	Hijack Execution Flow	Defense Evasion, Persistence, Privilege Escalation
T1070	Indicator Removal	Defense Evasion
T1049	System Network Connections Discovery	Discovery
T1071.001	Web Protocols	Command and Control
T1021.001	Remote Desktop Protocol	Lateral Movement
T1016	System Network Configuration Discovery	Discovery
T1070.004	File Deletion	Defense Evasion
T1111	Multi-Factor Authentication Interception	Credential Access
T1592.004	Client Configurations	Reconnaissance
T1036.005	Match Legitimate Name or Location	Defense Evasion
T1082	System Information Discovery	Discovery
T1190	Exploit Public-Facing Application	Initial Access
T1048	Exfiltration Over Alternative Protocol	Exfiltration
T1140	Deobfuscate/Decode Files or Information	Defense Evasion
T1105	Ingress Tool Transfer	Command and Control
T1556.004	Network Device Authentication	Credential Access, Defense Evasion, Persistence
T1518	Software Discovery	Discovery
T1059.003	Windows Command Shell	Execution
T1569.002	Service Execution	Execution
T1554	Compromise Client Software Binary	Persistence
T1505.003	Web Shell	Persistence
T1098	Account Manipulation	Persistence, Privilege Escalation
T1134.001	Token Impersonation/Theft	Defense Evasion, Privilege Escalation
T1003	OS Credential Dumping	Credential Access
T1562	Impair Defenses	Defense Evasion
T1600	Weaken Encryption	Defense Evasion
T1133	External Remote Services	Initial Access, Persistence
T1053	Scheduled Task/Job	Execution, Persistence, Privilege Escalation
T1027	Obfuscated Files or Information	Defense Evasion
T1059	Command and Scripting Interpreter	Execution

Cyber Threat Report: 'Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day'

Cyber Threat Graph Context

Mitigations to defend against the techniques in this report

Privileged Account Management

Network Segmentation

Operating System Configuration

Multi-factor Authentication

Remote Data Storage

Restrict File and Directory Permissions

Encrypt Sensitive Information

Behavior Prevention on Endpoint

Update Software

Execution Prevention

Audit

User Account Control

User Account Management

Restrict Registry Permissions

Restrict Library Loading

Application Developer Guidance

Network Intrusion Prevention

Limit Access to Resource Over Network

Disable or Remove Feature or Program

User Training

Pre-compromise

Code Signing

Application Isolation and Sandboxing

Exploit Protection

Vulnerability Scanning

Filter Network Traffic

Data Loss Prevention

Privileged Process Integrity

Password Policies

Active Directory Configuration

Credential Access Protection

Software Configuration

Antivirus/Antimalware

Restrict Web-Based Content

Identified MITRE ATT&CK Techniques