CISA publishes malware analysis reports on samples targeting Pulse Secure devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released five malware analysis reports (MARs) related to samples found on compromised Pulse Secure devices.

The U.S. CISA published five malware analysis reports (MARs) related to samples found on compromised Pulse Secure devices.

“As part of CISA’s ongoing response to Pulse Secure compromises, CISA has analyzed five malware samples related to exploited Pulse Secure devices. CISA encourages users and administrators to review the following five malware analysis reports (MARs) for threat actor tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), and review CISA’s Alert, Exploitation of Pulse Connect Secure Vulnerabilities, for more information.” reads CISA’s advisory.

• MAR-10333243-3.v1: Pulse Connect Secure
• MAR-10334057-3.v1: Pulse Connect Secure
• MAR-10336935-2.v1: Pulse Connect Secure
• MAR-10338401-2.v1: Pulse Connect Secure
• MAR-10339606-1.v1: Pulse Connect Secure

The MARs include details on the tactics, techniques, and procedures (TTPs) employed by threat actors along with Indicators of Compromise (IOCs) for the attack.

Threat actors are targeting Pulse Connect Secure VPN devices exploiting multiple flaws, including CVE-2021-22893 and CVE-2021-22937.

CVE-2021-22893 is a buffer overflow issue in Pulse Connect Secure Collaboration Suite prior b9.1R11.4 that allows remote authenticated attackers to execute arbitrary code as the root user via maliciously crafted meeting room. According to coordinated reports published by FireEye and Pulse Secure in May, two hacking groups have exploited the zero-day vulnerability in Pulse Secure VPN equipment to break into the networks of US defense contractors and government organizations worldwide.

CVE-2021-22937 is a high-severity remote code execution vulnerability that resides in the admin web interface of Pulse Connect Secure. A remote attacker could exploit the flaw to overwrite arbitrary files and gain code execution with root privileges. The flaw received a CVSS score of 9.1, experts pointed out that it results from a bypass of the patch released in October 2021 to address the CVE-2020-8260 issue. Ivanti fixed this critical code execution issue in Pulse Connect Secure VPN early this month.

Two of the samples analyzed by CISA in the MARs are tainted Pulse Secure files retrieved from infected devices that were used to harvest credentials. Only one of them also implements backdoor capabilities, allowing threat actors to establish remote access to the compromised device.

Another file included a malicious shell script that could log a valid user’s username and password credentials into a file stored on disk. One of the reports provides details about a sample that involved multiple files, including a shell script used by attackers to modify a Pulse Secure file and use it as a webshell. Another sample documented by the experts allows attackers to parse incoming web request data, while another file could be used to intercept certificate-based multi-factor authentication.

“Some of the files consist of shell scripts designed to modify a Pulse Secure Perl Common Gateway Interface (CGI) script file in place to become a webshell. One file is designed to intercept certificate-based multi-factor authentication. The other files are designed to check, parse and decrypt incoming web request data. This analysis is derived from malicious files found on Pulse Connect Secure devices.” reads the MAR.

The fifth sample analyzed by the researchers includes two Perl scripts that allow attackers to execute commands, a Perl library, a Perl script, and a shell script that manipulate and execute the ‘/bin/umount’ file.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Pulse Secure)

[adrotate banner=”5″]

[adrotate banner=”13″]