Days Before a Report, Chinese Hackers Removed Malware From Infected Networks

An anonymous reader shares a report: Last month, security firm FireEye detected a Chinese hacking campaign that exploited a zero-day vulnerability in Pulse Secure VPN appliances to breach defense contractors and government organizations in the US and across Europe. The hacking campaign allowed the threat actors -- two groups which FireEye tracks as UNC2630 and UNC2717 -- to install web shells on Pulse Secure devices, which the attackers used to pivot to internal networks from where they stole internal network credentials, email communications, and sensitive documents.

But in a follow-up report published today, FireEye said it found something strange -- namely that at least one of the groups involved in the attacks began removing its malware from infected networks three days before its researchers exposed the attacks. 'Between April 17th and 20th, 2021, Mandiant incident responders observed UNC2630 access dozens of compromised devices and remove webshells like ATRIUM and SLIGHTPULSE,' researchers said on Thursday. The threat actor's actions are highly suspicious and raise questions if they knew of FireEye's probing.

Read more of this story at Slashdot.