Five new research reports outlining malware detected on compromised Pulse Secure devices were issued this week by the US Cybersecurity and Infrastructure Security Agency (CISA). Adversaries have been targeting Pulse Connect Secure VPN appliances to exploit a variety of vulnerabilities, including CVE-2021-22893 and CVE-2021-22937, which were found earlier this year.
CISA issued an alert in April this year on assaults on Pulse Secure devices, along with indicators of compromise (IOCs) and details on the malware used by the attackers. Threat actors' tactics, techniques, and procedures (TTPs) are detailed in the malware analysis reports (MARs).
CVE-2021-22893 is a buffer overflow vulnerability in Pulse Connect Secure Collaboration Suite prior to version b9.1R11.4 that allows remote authenticated attackers to execute arbitrary code as the root user through a maliciously crafted meeting room. Two hacking groups have used the zero-day vulnerability in Pulse Secure VPN equipment to break into the networks of US defence contractors and government institutions around the world, according to reports issued by FireEye and Pulse Secure in May.
CVE-2021-22937 is a high-severity remote code execution vulnerability in Pulse Connect Secure's admin web interface. A remote attacker might use the weakness to overwrite arbitrary files and gain root-level code execution. The bug has a CVSS score of 9.1 and is the consequence of a bypass of the patch provided in October 2021 to address the CVE-2020-8260 issue, according to experts. Early this month, Ivanti corrected a major code execution issue in Pulse Connect Secure VPN.
According to CISA, two of the samples are maliciously modified Pulse Secure files received from compromised machines, both of which are credential harvesters. One of the files also serves as a backdoor, allowing attackers to access the hacked device remotely. A malicious shell script in another file might log usernames and passwords. A third sample consisted of many files, one of which had a shell script for converting a Pulse Secure file to a web shell. One file was created to intercept certificate-based multi-factor authentication, while others were created to read web request data.
Two Perl scripts designed to execute attacker instructions, a Perl library, a Perl script, and a shell script designed to manipulate and execute the 'bin/umount' file were included in the fifth sample.
