The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a security alert related to the discovery of 13 malware samples on compromised Pulse Secure devices, many of which were undetected by antivirus products. Experts pointed out that only one of malware samples analyzed by CISA was uploaded on VirusTotal with a low detection rate.
The agency published a malware analysis report (MARs) for each malicious code, the report also includes threat actor techniques, tactics, and procedures (TTPs) and indicators of compromise (IOCs) for the threat.
“As part of CISA’s ongoing response to Pulse Secure compromises, CISA has analyzed 13 malware samples related to exploited Pulse Secure devices. CISA encourages users and administrators to review the following 13 malware analysis reports (MARs) for threat actor techniques, tactics, and procedures (TTPs) and indicators of compromise (IOCs) and to review CISA’s Alert Exploitation of Pulse Connect Secure Vulnerabilities for more information.” Reads the CISA’s alert.
Government experts reported that threat actors are targeting Pulse Secure devices since June 2020 by attempting to exploit multiple know vulnerabilities, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, CVE-2021-2289.
Once achieved access to the target network, attackers placed webshells to gain backdoor access.
Some of the files analyzed by CISA are shell scripts used to modify a file to plant a webshell designed to check and parse incoming web requests data. Some of the files discovered on hacked Pulse Connect Secure devices were modified versions of legitimate scripts.
The webshells were also used to achieve persistence and remotely access the devices.
The US agency provides the following recommendations to the administrators:
(SecurityAffairs – hacking, SolarWinds)