Share An attack group potentially acting in the interests of the Chinese government has exploited vulnerabilities--including a zero day--in the widely deployed Pulse Connect Secure VPN appliance to compromise government agencies in the United States and Europe, as well as several dozen other organizations to gather credentials, steal sensitive data, and place webshells on targeted appliances to maintain persistence. Although researchers have not been able to pinpoint exactly when the attacks began, they have been ongoing for more than a year and could go back several years. Researchers at FireEye Mandiant uncovered the activity targeting Pulse Secure appliances while responding to customer incidents in recent months, and found that a group it now tracks as UNC2630, and possibly several other threat actors, have been exploiting several previously known flaws and one newly discovered vulnerability in the appliances. The new vulnerability (CVE-2021-22893) is a critical remote code execution flaw discovered earlier this month. Pulse Secure has released mitigations for the flaw but won’t have a patch ready until early May.