Search This Blog

Showing posts with label Pulse Secure. Show all posts

CISA Published MARs on Samples Targeting Pulse Secure Devices

 

Five new research reports outlining malware detected on compromised Pulse Secure devices were issued this week by the US Cybersecurity and Infrastructure Security Agency (CISA). Adversaries have been targeting Pulse Connect Secure VPN appliances to exploit a variety of vulnerabilities, including CVE-2021-22893 and CVE-2021-22937, which were found earlier this year.

CISA issued an alert in April this year on assaults on Pulse Secure devices, along with indicators of compromise (IOCs) and details on the malware used by the attackers. Threat actors' tactics, techniques, and procedures (TTPs) are detailed in the malware analysis reports (MARs). 

CVE-2021-22893 is a buffer overflow vulnerability in Pulse Connect Secure Collaboration Suite prior to version b9.1R11.4 that allows remote authenticated attackers to execute arbitrary code as the root user through a maliciously crafted meeting room. Two hacking groups have used the zero-day vulnerability in Pulse Secure VPN equipment to break into the networks of US defence contractors and government institutions around the world, according to reports issued by FireEye and Pulse Secure in May. 

CVE-2021-22937 is a high-severity remote code execution vulnerability in Pulse Connect Secure's admin web interface. A remote attacker might use the weakness to overwrite arbitrary files and gain root-level code execution. The bug has a CVSS score of 9.1 and is the consequence of a bypass of the patch provided in October 2021 to address the CVE-2020-8260 issue, according to experts. Early this month, Ivanti corrected a major code execution issue in Pulse Connect Secure VPN. 

According to CISA, two of the samples are maliciously modified Pulse Secure files received from compromised machines, both of which are credential harvesters. One of the files also serves as a backdoor, allowing attackers to access the hacked device remotely. A malicious shell script in another file might log usernames and passwords. A third sample consisted of many files, one of which had a shell script for converting a Pulse Secure file to a web shell. One file was created to intercept certificate-based multi-factor authentication, while others were created to read web request data.

Two Perl scripts designed to execute attacker instructions, a Perl library, a Perl script, and a shell script designed to manipulate and execute the 'bin/umount' file were included in the fifth sample.

Pulse Security Devices Identified with Malware: Alerts CISA

 

A detailed warning concerning almost 13 malware samples associated with Pulse Secure operated devices has been issued by the Cybersecurity and Infrastructure Security Agency (CISA). These specimens were flown beneath the anti-virus radar. 

In Pulse Connect Secure's suite of virtual private network (VPN) devices, at least two main hacker groups have distributed a dozen malware families to spies on the US defense sector. Several hacking organizations supported by the Chinese are believed to be behind the attacks. 

Executives were urged to evaluate the document to identify the threat actor's strategies, techniques, and procedures while looking for any signs of data being compromised. 

Pulse Secure is indeed a global business with offices around the world. Its headquarters are situated in Silicon Valley, with development offices in Massachusetts and India. Pulse has sales offices located across America, Europe, the Middle East, and Asia. It's the most diverse SSL-VPN in the World to ensure user productivity, IT agility, and continuity in the enterprise. 

Pulse Secure devices, key infrastructure institutions, and other organizations in the commercial sector have been targeted by cyber threats ever since June 2020. Attackers used various vulnerabilities for the first entry and deployed backdoor web shells (CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, CVE-2021-2289). 

All of the documents examined by the CISA were identified on affected Pulse Connect Secure devices, including some updated versions of legal Pulse Secure scripts. 

In most cases, the Malevolent Files were web shells for remote persistence and remote controls to activate and execute, although other utilities were included. For one of these specimens, the CISA reports that it is a "modified version of the Secure Pulse Perl Module" - a fundamental firmware update file particularly DSUpgrade.pm - for hackers to retrieve and execute remote instructions converted to a web shell (ATRIUM). 

The embedded web shell was intended to accept an ID parameter from a web application post. The web shell processes the data offered by running it locally using a system() function within the 'id' parameter as a control of the operating system. 

In another examination, CISA discovered a customized Unix umount application designed to "hook" the environmentally friendly capabilities of a Unix device. 

The addition of this unmountable 'hook' feature results in many system changes providing persistent control and command (C2) remote operator access to an affected Pulse Secure device, as per CISA. 

The list of genuine CISA Pulse Secure files that the attacker has identified to modify include: 
  • licenseserverproto.cgi (STEADYPULSE) t
  • nchcupdate.cgi 
  • healthcheck.cgi 
  • compcheckjs.cgi 
  • DSUpgrade.pm.current 
  • DSUpgrade.pm.rollback 
  • clear_log.sh (THINBLOOD LogWiper Utility Variant) 
  • compcheckjava.cgi (hardpulse) 
  • meeting_testjs.cgi (SLIGHTPULSE) 

In cases studied by Mandiant Cybersecurity firm, most of the above files were subjected to change for nefarious intent earlier this year. The researchers indicated in an April report that CVE-2021-22893 was used by the suspected Chinese threat actor. 

As per the report of Mandiant, the opponents converted the genuine files into the STEADYPULSE, HARDPULSE, and SLIGHTPULSE web shells and a variant of THINBLOOD LogWiper utility. 

Some of the documents CISA identified on hacked Pulse Secure devices at the time of investigation were uncovered by anti-virus solutions; just one of them was available on the VirusTotal file scanning portal which was uploaded two months ago and flagged as a variation of ATRIUM web shell by one antivirus engine. 

To ensure security posture in their systems, CISA administrators advised performing several actions. It suggested that antivirus and engines be kept up-to-date along with the patches. The experts also said that file sharing and printing services must be disabled. One must use strong passwords or Active Directory authentication if required.

APT: China-Based Threat Group Attacks Pulse Secure VPNs

 

Several hacker groups that are supposed to support Chinese long-term economic goals continue in the defense, high-tech, public, transportation, and financial services industry networks in the US and Europe. 

Many breaches have taken place wherein attacks by Chinese threat actors penetrated Pulse Secure VPN devices to break into an organization's network and steal confidential material. 

Whereas in several other incidents the attackers took full advantage of the Pulse Connect Secure (PCS) (CVE-2021-22893) authentication bypass vulnerability to enter into the victim's network. The intruders also gained control of the combination of previously known vulnerabilities. Meanwhile, last month, a failure in the bypass authentication was detected and rectified. 

Mandiant issued a warning this week – on China's advanced persistent threat (APT) activity for U.S. and European organizations. In the alert, Mandiant had focused on a battery of malware tools used to address vulnerabilities in Pulse Secure VPN devices on two Chinese-based organizations: UNC2630 and UNC2717. Mandiant said that UNC2630 had targeted US military industry groups and UNC2717 had attacked an EU entity. 

"The exploitation activity we have observed is a mix of targeting unpatched systems with CVEs from 2019 and 2020, as well as a previously unpatched 2021 CVE (CVE-2021-22893)," says Stephen Eckels, a reverse engineer at Mandiant. "Since our original report, Pulse Secure and Mandiant have worked together, and the zero-day has since been patched." 

"At this time, Pulse Secure has patched all known vulnerabilities," Eckels added. 

In certain cases, the attackers had set up their local admin accounts on critical Windows servers to operate freely on the target network. Instead of depending on internal endpoints of the security vulnerabilities, they used exclusivity of Pulse Secure web-shells and malware. 

The UNC2630 and UNC2717, according to Mandiant, are just two of the various groups which threaten Pulse Secure VPNs that seem to work for the interest of the Chinese administration. Many of the groups use the same number of instruments, but their strategies and tactics are different. 

There has been no confirmation so far that the threat actors had acquired American data that would provide economic advantages for Chinese enterprises. In particular, a 2012 agreement between President Barack Obama and a Chinese counterpart Xi prohibits cyber espionage of such data. 

"Right now we're not able to say that they haven't, just that we don't have direct evidence that they have violated [the agreement]," Mandiant says. "Some of the affected entities are private companies that would have commercial intellectual property, the theft of which would violate the agreement. We just have not seen direct evidence of that type of data being staged or exfiltrated." 

Mandiant's assessment of the Chinese ferocious ATP activities is coinciding with this week's alert from Microsoft for Nobellum, the Russian menace actor behind the SolarWinds attack and an extensive e-mail campaign. In both cases, cyber espionage seems to be the major motif in support of national strategic objectives.

Supermicro and Pulse Secure Issue Advisories Regarding 'TricBoot' Assaults

 

Supermicro, a U.S.-based information technology firm and VPN provider Pulse Secure have released their advisories regarding the vulnerabilities of their motherboards to the TrickBot malware’s Unified Extensible Firmware Interface (UEFI) firmware-infecting module, called Trickboot. 

Last year, cybersecurity companies Advanced Intelligence and Eclypsium launched a joint report regarding a new malicious firmware-targeting ‘TrickBoot’ module delivered by the well-known TrickBot malware. When the TrickBoot module is executed, it will examine a gadget’s UEFI firmware to determine if it has ‘compose defense’ disabled. If it is, the malware contains the performance to check out, compose, and remove the firmware.

This might allow the malware to execute numerous destructive activities, such as bricking a gadget, bypassing operating system security controls, or reinfecting a system even after a complete reinstall. 

To examine if a UEFI BIOS has 'write protection' enabled, the module utilizes the RwDrv.sys chauffeur from the RWEverything energy.

Cybersecurity firms Advanced Intelligence and Eclypsium released a joint statement reading – “All requests to the UEFI firmware stored in the SPI flash chip go through the SPI controller, which is part of the Platform Controller Hub (PCH) on Intel platforms. This SPI controller includes access control mechanisms, which can be locked during the boot process in order to prevent unauthorized modification of the UEFI firmware stored in the SPI flash memory chip.”

“Modern systems are intended to enable those BIOS write protections to prevent the firmware from being modified; however, these protections are often not enabled or misconfigured. If the BIOS is not write-protected, attackers can easily modify the firmware or even delete it completely,” it further reads.

The malware’s ability to examine a gadget’s firmware is presently limited to specific Intel platforms, including Skylake, Kaby Lake, Coffee Lake, and Comet Lake. 

In an advisory released by Supermicro and Pulse Secure, they are alerting that some of their X10 UP motherboards have susceptibilities to the TrickBoot malware and have actually launched a ‘vital’ BIOS upgrade to enable write protection.

The susceptible X10 UP-series (‘Denlow’) motherboards are noted below.

1. X10SLH-F (will EOL on 3/11/2021)
2. X10SLL-F (EOL’ed since 6/30/2015)
3. X10SLM-F (EOL’ed since 6/30/2015) 
4. X10SLL+-F (EOL’ed since 6/30/2015) 
5. X10SLM+-F (EOL’ed since 6/30/2015) 
6. X10SLM+-LN4F (EOL’ed since 6/30/2015)
7. X10SLA-F (EOL’ed since 6/30/2015) 
8. X10SL7-F (EOL’ed since 6/30/2015) 
9. X10SLL-S/-SF (EOL’ed since 6/30/2015) 

Supermicro has actually launched BIOS variation 3.4 to repair the vulnerability but has only released it openly for the X10SLH-F motherboard. Pulse Secure likewise issued an advisory as their Pulse Secure Device 5000 (PSA-5000), and Pulse Secure Device 7000 (PSA-7000) gadgets operate on susceptible Supermicro hardware.