{
	"id": "87821ba7-3b8c-4f9f-b636-d2963eceaa81",
	"created_at": "2026-04-06T00:14:43.255415Z",
	"updated_at": "2026-04-10T03:35:44.251525Z",
	"deleted_at": null,
	"sha1_hash": "bf9576b4ac98ecf028f0627b7ea077ee7cc694e4",
	"title": "A Chinese APT is now going after Pulse Secure and Fortinet VPN servers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44219,
	"plain_text": "A Chinese APT is now going after Pulse Secure and Fortinet VPN\r\nservers\r\nBy Written by Catalin Cimpanu, ContributorContributor Sept. 5, 2019 at 7:11 a.m. PT\r\nArchived: 2026-04-05 15:04:08 UTC\r\nSee als\r\nA group of Chinese state-sponsored hackers is targeting enterprise VPN servers from Fortinet and Pulse Secure\r\nafter details about security flaws in both products became public knowledge last month.\r\nThe attacks are being carried out by a group known as APT5 (also known as Manganese), ZDNET has learned\r\nfrom sources familiar with the attacks.\r\nAccording to a FireEye report, APT5 has been active since 2007, and \"appears to be a large threat group that\r\nconsists of several subgroups, often with distinct tactics and infrastructure.\"\r\nFireEye says the group has targeted or breached organizations across multiple industries, but its focus appears to\r\nbe on telecommunications and technology companies primarily, and taking a special interest in satellite\r\ncommunications firms.\r\nAPT5 attacks began last month\r\nStarting in late August, a subgroup of the larger APT5 umbrella group appears to have set up infrastructure\r\nthrough which they started conducting internet scans to search for Fortinet and Pulse Secure VPN servers.\r\nAPT5 was among the first to start scanning the internet and then later attempt to exploit two vulnerabilities in the\r\ntwo VPN server products.\r\nDetails about these two vulnerabilities were presented two weeks before, at the Black Hat USA security\r\nconference, in Las Vegas.\r\nBoth vulnerabilities (CVE-2018-13379 for Fortinet and CVE-2019-11510 for Pulse Secure) are so-called \"pre-auth file reads,\" which allow an attacker to retrieve files from the VPN server without needing to authenticate.\r\nAPT5 -- and other threat groups -- were using these two vulnerabilities to steal files storing password information\r\nor VPN session data from the affected products. These files would have allowed attackers to take over vulnerable\r\ndevices.\r\nSources who observed the APT5 attacks said they weren't in a position to determine if the group was successful in\r\nbreaching the devices.\r\nhttps://www.zdnet.com/article/a-chinese-apt-is-now-going-after-pulse-secure-and-fortinet-vpn-servers/\r\nPage 1 of 3\n\nTargeted VPN servers are high-end products\r\nBoth Fortinet's Fortigate SSL VPN and Pulse Secure's SSL VPN products are extremely popular. For example,\r\nFortinet's Fortigate VPN is the absolute market leader, with over 480,000 Fortigate SSL VPN servers operating\r\nacross the world.\r\nOn the other side, Pulse Secure's SSL VPN is considered the SSL VPN market's most high-end product, being\r\ninstalled to protect access to internal networks at many Fortune 500 companies, the internet's biggest tech firms,\r\nand government agencies.\r\nAccording to threat intelligence firm Bad Packets LLC, there are around 42,000 Pulse Secure VPN servers\r\navailable online.\r\nMany companies failed to patch\r\nBoth the Fortinet and Pulse Secure vulnerabilities were discovered earlier this year by security researchers from a\r\ncompany named Devcore.\r\nThe issues were reported to both vendors in March, and patched by both vendors with the utmost urgency,\r\nDevcore said in two blog posts describing both issues [1, 2]. Pulse Secure released a patch in April, and Fortinet\r\nfollowed with their own in May.\r\nHowever, owners of these two SSL VPN servers appear to have failed to install these patches. The reasons for not\r\ndoing so vary.\r\nOn one hand, there have been many Fortinet customers who reported on social media that they didn't even know\r\nthat there was a security fix available for the Fortigate VPN, let alone that they had to patch.\r\nThe company did not return a request for comment sent earlier this week, seeking more information. However,\r\nFortinet published a blog post days before, on August 28, bring the issue of its May patch into the attention of its\r\nsite readers once more.\r\nPulse Secure warned and contacted customers\r\nOn the other hand, Pulse Secure was a lot more active in notifying customers, but that didn't mean clients heeded\r\nthe company's advice.\r\nA scan in mid-August found that almost 14,500 of the 42,000 Pulse Secure SSL VPN servers were still running a\r\nvulnerable version. A second scan performed last week found that the number barely went down, reaching 10,500.\r\nBut the blame here doesn't seem to be on Pulse Secure.\r\n\"We not only issued a public Security Advisory - SA44101, but commencing that day in April, we actively\r\ninformed our customers, partners and service providers of the availability and need for the patch via email, in-product alerts, on our community site, within our partner portal, and our customer support web site,\" Scott\r\nGordon, Chief Marketing Officer at Pulse Secure, told ZDNet in an email, describing the company's efforts to\r\nnotify customers.\r\nhttps://www.zdnet.com/article/a-chinese-apt-is-now-going-after-pulse-secure-and-fortinet-vpn-servers/\r\nPage 2 of 3\n\n\"Our customer success managers have also been directly contacting and working with customers,\" he added. \"In\r\naddition, Pulse Secure support engineers have been available 24x7, including weekends and holidays, to help\r\ncustomers who need assistance to apply the patch fix.\r\n\"We also offered assistance to customers to apply the patch fix for these vulnerabilities even if they were not\r\nunder an active maintenance contract,\" Gordon said.\r\n\"Customers that still need assistance should contact Pulse Secure support using the contact information on the\r\nfollowing URL: https://support.pulsesecure.net/support/support-contacts/\"\r\nGordon said that these efforts have been fruitful, as the majority of the company's customers had successfully\r\napplied the patch by late August.\r\nNonetheless, not all customers have heeded the company's advice, and these organizations might end up paying a\r\nsteeper price later down the road.\r\nChinese APTs (advanced threat groups) don't just breach into foreign targets (companies, government\r\norganizations, universities) for the purpose of intelligence gathering or political cyber-espionage. They also steal\r\nintellectual property, which many times makes its way into the hands of Chinese competitors, hurting the hacked\r\ncompanies for years to come in ways many didn't expect.\r\nThe world's most famous and dangerous APT (state-developed) malware\r\nSecurity\r\nSource: https://www.zdnet.com/article/a-chinese-apt-is-now-going-after-pulse-secure-and-fortinet-vpn-servers/\r\nhttps://www.zdnet.com/article/a-chinese-apt-is-now-going-after-pulse-secure-and-fortinet-vpn-servers/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.zdnet.com/article/a-chinese-apt-is-now-going-after-pulse-secure-and-fortinet-vpn-servers/"
	],
	"report_names": [
		"a-chinese-apt-is-now-going-after-pulse-secure-and-fortinet-vpn-servers"
	],
	"threat_actors": [
		{
			"id": "13bedce4-3115-4563-afd5-068e3930e68e",
			"created_at": "2023-01-06T13:46:38.623775Z",
			"updated_at": "2026-04-10T02:00:03.042652Z",
			"deleted_at": null,
			"main_name": "APT5",
			"aliases": [
				"KEYHOLE PANDA",
				"BRONZE FLEETWOOD",
				"TEMP.Bottle",
				"Mulberry Typhoon",
				"Poisoned Flight"
			],
			"source_name": "MISPGALAXY:APT5",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6d69ef1b-b6f3-47e1-be5a-87ac0fd5ff55",
			"created_at": "2024-04-24T02:00:49.599348Z",
			"updated_at": "2026-04-10T02:00:05.303948Z",
			"deleted_at": null,
			"main_name": "APT5",
			"aliases": [
				"APT5",
				"Mulberry Typhoon",
				"BRONZE FLEETWOOD",
				"Keyhole Panda",
				"UNC2630"
			],
			"source_name": "MITRE:APT5",
			"tools": [
				"Tasklist",
				"PoisonIvy",
				"RAPIDPULSE",
				"PcShare",
				"Mimikatz",
				"SLOWPULSE",
				"SLIGHTPULSE",
				"Skeleton Key",
				"gh0st RAT",
				"PULSECHECK",
				"netstat"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "47a8f6c7-5b29-4892-8f47-1d46be71714f",
			"created_at": "2025-08-07T02:03:24.599925Z",
			"updated_at": "2026-04-10T02:00:03.720795Z",
			"deleted_at": null,
			"main_name": "BRONZE FLEETWOOD",
			"aliases": [
				"APT5 ",
				"DPD ",
				"Keyhole Panda ",
				"Mulberry Typhoon ",
				"Poisoned Flight ",
				"TG-2754 "
			],
			"source_name": "Secureworks:BRONZE FLEETWOOD",
			"tools": [
				"Binanen",
				"Comfoo",
				"Gh0st RAT",
				"Isastart",
				"Leouncia",
				"Marade",
				"OrcaRAT",
				"PCShare",
				"Protux",
				"Skeleton Key",
				"SlyPidgin",
				"VinSelf"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434483,
	"ts_updated_at": 1775792144,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bf9576b4ac98ecf028f0627b7ea077ee7cc694e4.pdf",
		"text": "https://archive.orkl.eu/bf9576b4ac98ecf028f0627b7ea077ee7cc694e4.txt",
		"img": "https://archive.orkl.eu/bf9576b4ac98ecf028f0627b7ea077ee7cc694e4.jpg"
	}
}