Η CISA issued a notice for various samples malware found on Pulse Secure devices, and which to a large extent were not detected by antiviral products.
From June 2020, Pulse Secure Devices in US Government Services, Critical Infrastructure and Various Organizations of the private sector are the target of cyber attacks.
Yesterday, CISA published reports on 13 samples of malware found on compromised Pulse Secure devices. Administrators are encouraged to review reports of intruders and learn of attackers' tactics, techniques, and procedures.
All malicious files analyzed by CISA were found on compromised devices Pulse Connect Secure and some of them were modified versions of legal Pulse Secure scripts.
In most cases, the malicious files were webshells for activating and executing commands.
Speaking of a specific sample malware, CISA states that it is a "modified version of a Pulse Secure Perl Module" (DSUpgrade.pm), which the attackers converted into a webshell (ATRIUM) to execute remote commands.
The list of legal Pulse Secure files modified by hackers includes:
- licenseserverproto.cgi (STEADYPULSE)
- clear_log.sh (THINBLOOD LogWiper Utility Variant)
- compcheckjava.cgi (hardpulse)
- meeting_testjs.cgi (SLIGHTPULSE)
Some of the above files were modified for malicious purposes in this year's attacks, which were investigated by the company Mandiant. In a report in April, investigators said Chinese hackers had taken advantage of the vulnerability. CVE-2021-22893.
According to the Mandiant report, the attackers exploited the vulnerability and turned the legal files into STEADYPULSE, HARDPULSE and SLIGHTPULSE webhells.
In another case, attackers modified a Pulse Secure system file to steal credentials.
Most of the files CISA found on compromised Pulse Secure devices were not detected by antivirus solutions. Only one of them was identified.
CISA recommends that administrators enhance their security by following these practices:
- Update antivirus signatures.
- Operating system update.
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Imposition of restrictions on users so that they can not install and run unwanted software applications.
- Use strong passwords.
- Be careful when opening emails and attachments.
- Enable firewall.
- Disable unnecessary services on workstations and servers.
- Scan and remove suspicious email attachments.
- Monitor users' browsing activities. Restrict access to sites with dangerous content.
- Be careful when using removable media (eg USB thumb drive, external drives, CDs, etc.).
- Scan the software you download from the Internet before running it.
- Update on new cyber threats.
Source: Bleeping Computer