The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a report this week that detail five new malware samples targeting Pulse Secure devices. The report also discusses how to protect against the Pulse Connect Secure VPN vulnerabilities.
Pulse Secure manufactures VPN routers that provide end-to-end secure remote and mobile access from any device to enterprise services and applications in the data center and cloud. Several security holes have been discovered in Pulse Connect Secure VPN appliances earlier this year, the most important of them being CVE-2021-22893 and CVE-2021-22937, which could allow attackers to take over the compromised appliances.
In April, the security agency released an advisory regarding attacks targeting Pulse Secure, which included indicators of compromise (IOCs) and malware used in the attacks. This week, it released details about five new malware samples.
Two of the samples analyzed by CISA are modified Pulse Secure files retrieved from infected devices, crafted to harvest credentials from infected devices. One of them acts as a backdoor for remote access to the compromised device.
A second sample contained a shell script that could allow an attacker to log usernames and passwords.
A third sample involved multiple files, some consisting of a shell script that can modify a Pulse Secure file into a webshell.
Another one was designed to intercept certificate-based multi-factor authentication codes, while others can parse incoming web requests.
The fifth sample included two Perl scripts that were designed to execute attacker commands, a Perl library, and a Perl script. It also consisted of a shell script that will execute the “bin/umount” file.
The agency’s report details the various tactics and techniques utilized by adversaries to attack users and expose themselves to various threats.
Pulse Secure, which was acquired by Ivanti last year, has also released a tool that helps users identify compromised appliances.