A detailed warning concerning almost 13 malware samples associated with Pulse Secure operated devices has been issued by the Cybersecurity and Infrastructure Security Agency (CISA). These specimens were flown beneath the anti-virus radar.
In Pulse Connect Secure's suite of virtual private network (VPN) devices, at least two main hacker groups have distributed a dozen malware families to spies on the US defense sector. Several hacking organizations supported by the Chinese are believed to be behind the attacks.
Executives were urged to evaluate the document to identify the threat actor's strategies, techniques, and procedures while looking for any signs of data being compromised.
Pulse Secure is indeed a global business with offices around the world. Its headquarters are situated in Silicon Valley, with development offices in Massachusetts and India. Pulse has sales offices located across America, Europe, the Middle East, and Asia. It's the most diverse SSL-VPN in the World to ensure user productivity, IT agility, and continuity in the enterprise.
Pulse Secure devices, key infrastructure institutions, and other organizations in the commercial sector have been targeted by cyber threats ever since June 2020. Attackers used various vulnerabilities for the first entry and deployed backdoor web shells (CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, CVE-2021-2289).
All of the documents examined by the CISA were identified on affected Pulse Connect Secure devices, including some updated versions of legal Pulse Secure scripts.
In most cases, the Malevolent Files were web shells for remote persistence and remote controls to activate and execute, although other utilities were included. For one of these specimens, the CISA reports that it is a "modified version of the Secure Pulse Perl Module" - a fundamental firmware update file particularly DSUpgrade.pm - for hackers to retrieve and execute remote instructions converted to a web shell (ATRIUM).
The embedded web shell was intended to accept an ID parameter from a web application post. The web shell processes the data offered by running it locally using a system() function within the 'id' parameter as a control of the operating system.
In another examination, CISA discovered a customized Unix umount application designed to "hook" the environmentally friendly capabilities of a Unix device.
The addition of this unmountable 'hook' feature results in many system changes providing persistent control and command (C2) remote operator access to an affected Pulse Secure device, as per CISA.
The list of genuine CISA Pulse Secure files that the attacker has identified to modify include:
- licenseserverproto.cgi (STEADYPULSE) t
- nchcupdate.cgi
- healthcheck.cgi
- compcheckjs.cgi
- DSUpgrade.pm.current
- DSUpgrade.pm.rollback
- clear_log.sh (THINBLOOD LogWiper Utility Variant)
- compcheckjava.cgi (hardpulse)
- meeting_testjs.cgi (SLIGHTPULSE)
In cases studied by Mandiant Cybersecurity firm, most of the above files were subjected to change for nefarious intent earlier this year. The researchers indicated in an April report that CVE-2021-22893 was used by the suspected Chinese threat actor.
As per the report of Mandiant, the opponents converted the genuine files into the STEADYPULSE, HARDPULSE, and SLIGHTPULSE web shells and a variant of THINBLOOD LogWiper utility.
Some of the documents CISA identified on hacked Pulse Secure devices at the time of investigation were uncovered by anti-virus solutions; just one of them was available on the VirusTotal file scanning portal which was uploaded two months ago and flagged as a variation of ATRIUM web shell by one antivirus engine.
To ensure security posture in their systems, CISA administrators advised performing several actions. It suggested that antivirus and engines be kept up-to-date along with the patches. The experts also said that file sharing and printing services must be disabled. One must use strong passwords or Active Directory authentication if required.
