More than a dozen malware samples have been discovered targeting flawed Pulse Secure devices to target U.S. government agencies, critical infrastructure entities, and private sector organizations. All of these malicious threats go undetected by most antivirus products currently on the market.
What has happened?
The CISA has released analysis reports for 13 malicious threats found on compromised Pulse Secure devices. Some of the malware were discovered dropping multiple files on the targeted machines.
According to the agency, the attackers are abusing multiple vulnerabilities, including CVE-2020-8243, CVE-2019-11510, CVE-2021-2289, and CVE-2020-8260, for initial access to placing web shells for deploying backdoors.
In most of the instances, the malicious files were spotted as web shells used for activating and then executing remote commands for remote access and persistence, along with utilities.
In one case, the agency discovered a tampered version of a Pulse Secure Perl Module, which was modified into an Atrium web shell. Named DSUpgrade[.]pm, this was the main file in the system upgrade process.
Additional insights
The CISA examined a large number of files being targeting on the infected Pulse Connect Secure devices. Additionally, some of the files were legitimate Pulse Secure scripts that were modified.
The list of genuine Pulse Secure files discovered by the agency modified by attackers included licenseserverproto[.]cgi (STEADYPULSE), tnchcupdate[.]cgi, healthcheck[.]cgi, and compcheckjs[.]cgi.
Other files are DSUpgrade[.]pm[.]current, DSUpgrade[.]pm[.]rollback, clear_log[.]sh (variant of THINBLOOD LogWiper), compcheckjava[.]cgi (Hardpulse), and meeting_testjs[.]cgi (SLIGHTPULSE).
Some of these files were tampered with for malicious actions in incidents that occurred last year.
In April, Chinese hackers were believed to be abusing CVE-2021-22893 in Pulse Connect Secure gateway for initial entry.
Conclusion
The federal agency recommends administrators review the reports about malware disclosures on Pulse Secure devices for IoCs (indicators of compromise) and obtain detailed knowledge about attackers’ TTPs.