Pierluigi Paganini July 22, 2021

U.S. CISA released an alert today about several stealth malware samples that were found on compromised Pulse Secure devices.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a security alert related to the discovery of 13 malware samples on compromised Pulse Secure devices, many of which were undetected by antivirus products. Experts pointed out that only one of malware samples analyzed by CISA was uploaded on VirusTotal with a low detection rate.

The agency published a malware analysis report (MARs) for each malicious code, the report also includes threat actor techniques, tactics, and procedures (TTPs) and indicators of compromise (IOCs) for the threat.

“As part of CISA’s ongoing response to Pulse Secure compromises, CISA has analyzed 13 malware samples related to exploited Pulse Secure devices. CISA encourages users and administrators to review the following 13 malware analysis reports (MARs) for threat actor techniques, tactics, and procedures (TTPs) and indicators of compromise (IOCs) and to review CISA’s Alert Exploitation of Pulse Connect Secure Vulnerabilities for more information.” Reads the CISA’s alert.

Government experts reported that threat actors are targeting Pulse Secure devices since June 2020 by attempting to exploit multiple know vulnerabilities, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, CVE-2021-2289.

Once achieved access to the target network, attackers placed webshells to gain backdoor access.

Some of the files analyzed by CISA are shell scripts used to modify a file to plant a webshell designed to check and parse incoming web requests data. Some of the files discovered on hacked Pulse Connect Secure devices were modified versions of legitimate scripts.

The webshells were also used to achieve persistence and remotely access the devices.

The US agency provides the following recommendations to the administrators:

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
• Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds)

[adrotate banner=”5″]

[adrotate banner=”13″]