The US’ main cybersecurity agency, CISA, released an alert regarding the exploitation of Pulse Secure devices. Researchers found over a dozen malware samples on exploited devices. The malware was mostly undetected by antivirus products.
Attacks on Pulse Secure devices have occurred since June 2020. Among targets were U.S. government agencies, critical infrastructure entities, and various private sector organizations.
Multiple vulnerabilities were exploited by attackers to gain initial entry and place webshells for backdoor access, among them CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and CVE-2021-2289.
Yesterday, CISA released analysis reports on 13 malware pieces, some of which contain multiple files. CISA encouraged administrators to review the reports and learn about the various threats posed by the attacker.
The files found in this analysis were extracted from compromised Pulse Connect Secure devices. Some of them were modified legitimate PS scripts. Most of the time, the malicious files were webshells that were used to activate and run remote commands.
One sample, the researchers said, was “a modified version of a Pulse Secure Perl Module” namely DSUpgrade.pm, used to allow remote attackers to execute arbitrary commands.
The list of legitimate Pulse Secure files modified by the attacker also include: licenseserverproto.cgi (STEADYPULSE), tnchcupdate.cgi, healthcheck.cgi, compcheckjs.cgi, DSUpgrade.pm.current, DSUpgrade.pm.rollback, clear_log.sh (THINBLOOD LogWiper Utility Variant), compcheckjava.cgi (hardpulse), and meeting_testjs.cgi (SLIGHTPULSE).
Some files used in the incidents and modified for malicious purposes were previously investigated and reported by Mandiant. According to the cybersecurity firm, a suspected Chinese threat actor had leveraged CVE-2021-22893 and turned the files into webhells.
The security researchers also discovered a modified version of the Unix Unmount application that allowed remote attackers to gain access to a compromised Unix device.
In another instance, the threat actor collected credentials from PS users that successfully logged in. The collected data was then stored in a temporary directory on the affected device.
Most of the files found on compromised Pulse Secure devices were not detected by the antivirus solutions at the time they were discovered.
The agency advises administrators to strengthen their security posture by following the best practices. These include updating the antivirus signatures and engines, keeping the OS up-to-date with the latest patches, enforcing a strong password policy and implementing regular password changes, disabling unnecessary services on agency machines and servers, restricting users to install and run unwanted software, training staff to refrain from opening e-mails with attachments that are not expected, setting up a personal firewall for agency workstations, and more. The full list is available in the CISA alert.