The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published five malware analysis reports (MARs) related to malicious files discovered on compromised Pulse Secure devices.

The MARs include details on the tactics, techniques, and procedures (TTPs) employed by threat actors, as well as Indicators of Compromise (IoCs) related to the attacks.

Threat actors have been targeting Pulse Connect Secure VPN appliances exploiting various vulnerabilities affecting the product, including flaws that came to light earlier this year - CVE-2021-22893 and CVE-2021-22937. The first one is an improper authentication issue, which allows a remote attacker to bypass authentication process and compromise the affected device, and the latter is an arbitrary file upload vulnerability, which can be exploited by a remote hacker to compromise the vulnerable system.

The malware samples recovered from compromised Pulse Secure devices and analyzed by CISA include the modified CGI scripts that allowed an attacker to gain remote access to a target system, a malicious shell script that could log a valid user’s username and password credentials into a file stored on disk, some shell scripts designed to modify a Pulse Secure Perl Common Gateway Interface (CGI) script file in place to become a webshell, a file designed to intercept certificate-based multi-factor authentication, and two Perl scripts that execute the attacker's commands stored in the environment variable.

“CISA encourages users and administrators to review the following five malware analysis reports (MARs) for threat actor tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), and review CISA’s Alert, Exploitation of Pulse Connect Secure Vulnerabilities, for more information,” the agency said.