The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an alert today about more than a dozen malware samples found on exploited Pulse Secure devices that are largely undetected by antivirus products.
Since at least June 2020, Pulse Secure devices at U.S. government agencies, critical infrastructure entities, and various private sector organizations have been the target of attacks from threat actors.
Adversaries leveraged multiple vulnerabilities (CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, CVE-2021-2289) for initial entry and placed webshells for backdoor access.
Webshells in disguise
Today, CISA published analysis reports for 13 malware pieces, some of them comprised of multiple files, found on compromised Pulse Secure devices. Administrators are strongly encouraged to review the reports for indicators of compromise and to learn about the threat actor’s tactics, techniques, and procedures (TTPs).
All the files that CISA analyzed were found on compromised Pulse Connect Secure devices and some of them were modified versions of legitimate Pulse Secure scripts.
In most cases, the malicious files were webshells for activating and running remote commands for persistence and remote access, but utilities were also present.
For one of the malware samples, CISA notes it is a “modified version of a Pulse Secure Perl Module” namely DSUpgrade.pm – a core file in the system upgrade procedure – that the attackers modified into a webshell (ATRIUM) to extract and execute remote commands.
The list of legitimate Pulse Secure files found by CISA to be modified by the attacker also include the following:
- licenseserverproto.cgi (STEADYPULSE)
- clear_log.sh (THINBLOOD LogWiper Utility Variant)
- compcheckjava.cgi (hardpulse)
- meeting_testjs.cgi (SLIGHTPULSE)
Some of the files above have been modified for malicious purposes in incidents earlier this year investigated by Mandiant cybersecurity firm. In a report in April, the researchers note that the suspected Chinese threat actor had leveraged CVE-2021-22893 for the initial entry.
According to Mandiant’s report, the adversary turned the legitimate files into the webhells STEADYPULSE, HARDPULSE, and SLIGHTPULSE, and a variant of the variant of THINBLOOD LogWiper utility.
In another case, the threat actor modified a Pulse Secure system file to steal credential data from users that logged in successfully. The collected info was then stored in a file in a temporary directory on the device.
CISA’s analysis also a modified version of the Unix unmount application that gave the attacker persistence and remote access by hooking the unmount functionality of a compromised Unix device.
Another Linux tool found in these attacks is the THINBLOOD Log Wiper, disguised under the name “dsclslog.” As its name indicates, the utility’s purpose is to delete access and event log files.
Most of the files that CISA found on hacked Pulse Secure devices were undetected by antivirus solutions at the time of the analysis; and only one of them was present on the VirusTotal file scanning platform, added two months ago and detected by one antivirus engine as a variant of ATRIUM webshell.
The agency recommends administrators to strengthen the security posture by following the best practices:
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up-to-date.
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
- Enforce a strong password policy and implement regular password changes.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Disable unnecessary services on agency workstations and servers.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
- Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
- Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
- Scan all software downloaded from the Internet prior to executing.
- Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
As a precaution, system owners and administrators should check every configuration change before applying it, to avoid any incidents.