A Stealthy Malware Found on Hacked Pulse Secure Devices
CISA Released an Alert Regarding Multiple Malware Samples Found on Exploited Pulse Secure Devices.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an alert regarding more than a dozen malware samples that were found on exploited Pulse Secure devices and that can go undetected by antivirus products.
Pulse Secure devices at U.S. government agencies, critical infrastructure entities, and various private sector organizations have been a common target of attacks from threat actors ever since June 2020, as multiple vulnerabilities (CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, CVE-2021-2289) were exploited for initial entry and webshells were placed for backdoor access.
CISA Recently Published Analysis Reports for 13 Malware Pieces
Some of the analyzed malware were comprised of multiple files that were found on compromised Pulse Secure devices, therefore administrators are strongly encouraged to review the reports for indicators of compromise and learn about the threat actor’s tactics, techniques, and procedures (TTPs).
All the files analyzed by the CISA were found on compromised Pulse Connect Secure devices.
Some of these files were actually modified versions of legitimate Pulse Secure scripts, and it looks like one of the malware samples is a “modified version of a Pulse Secure Perl Module” namely DSUpgrade.pm.
The list of legitimate Pulse Secure files found by CISA included also:
- licenseserverproto.cgi (STEADYPULSE)
- clear_log.sh (THINBLOOD LogWiper Utility Variant)
- compcheckjava.cgi (hardpulse)
- meeting_testjs.cgi (SLIGHTPULSE)
Some Files Were Modified for Malicious Purposes and Used in Incidents Earlier This Year
In a report from April, the researchers from Mandiant noted that the suspected Chinese threat actor leveraged the CVE-2021-22893 for the initial entry.
According to this report, the adversary transformed legitimate files into the webhells STEADYPULSE, HARDPULSE, and SLIGHTPULSE, and a variant of the variant of THINBLOOD LogWiper utility.
In another instance, the threat actor modified a Pulse Secure system file in order to steal credential data from users that logged in successfully.
It’s interesting to note that most of the files found by CISA on hacked Pulse Secure devices were undetected by antivirus solutions at the time of the analysis, with only one being present on a VirusTotal file scanning.
CISA urges administrators to strengthen their security posture and follow a series of best practices like:
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up-to-date.
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
- Enforce a strong password policy and implement regular password changes.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Disable unnecessary services on agency workstations and servers.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
- Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
- Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
- Scan all software downloaded from the Internet prior to executing.
- Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
System owners and administrators should be checking every configuration change before applying it, in order to avoid any incidents.