[BreachExchange] A Stealthy Malware Found on Hacked Pulse Secure Devices

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Thu Jul 22 11:45:43 EDT 2021 

https://heimdalsecurity.com/blog/a-stealthy-malware-found-on-hacked-pulse-secure-devices/

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released
an alert regarding more than a dozen malware samples that were found on
exploited Pulse Secure devices and that can go undetected by antivirus
products.

Pulse Secure devices at U.S. government agencies, critical infrastructure
entities, and various private sector organizations have been a common
target of attacks from threat actors ever since June 2020, as multiple
vulnerabilities (CVE-2019-11510, CVE-2020-8260, CVE-2020-8243,
CVE-2021-2289) were exploited for initial entry and webshells were placed
for backdoor access.

CISA Recently Published Analysis Reports for 13 Malware Pieces

Some of the analyzed malware were comprised of multiple files that were
found on compromised Pulse Secure devices, therefore administrators are
strongly encouraged to review the reports for indicators of compromise and
learn about the threat actor’s tactics, techniques, and procedures (TTPs).

All the files analyzed by the CISA were found on compromised Pulse Connect
Secure devices.

Some of these files were actually modified versions of legitimate Pulse
Secure scripts, and it looks like one of the malware samples is a “modified
version of a Pulse Secure Perl Module” namely DSUpgrade.pm.

The list of legitimate Pulse Secure files found by CISA included also:

   - licenseserverproto.cgi (STEADYPULSE)
   - tnchcupdate.cgi
   - healthcheck.cgi
   - compcheckjs.cgi
   - DSUpgrade.pm.current
   - DSUpgrade.pm.rollback
   - clear_log.sh (THINBLOOD LogWiper Utility Variant)
   - compcheckjava.cgi (hardpulse)
   - meeting_testjs.cgi (SLIGHTPULSE)


Some Files Were Modified for Malicious Purposes and Used in Incidents
Earlier This Year

In a report from April, the researchers from Mandiant noted that the
suspected Chinese threat actor leveraged the CVE-2021-22893 for the initial
entry.

According to this report, the adversary transformed legitimate files into
the webhells STEADYPULSE, HARDPULSE, and SLIGHTPULSE, and a variant of the
variant of THINBLOOD LogWiper utility.

In another instance, the threat actor modified a Pulse Secure system file
in order to steal credential data from users that logged in successfully.

It’s interesting to note that most of the files found by CISA on hacked
Pulse Secure devices were undetected by antivirus solutions at the time of
the analysis, with only one being present on a VirusTotal file scanning.

CISA urges administrators to strengthen their security posture and follow a
series of best practices like:

   - Maintain up-to-date antivirus signatures and engines.
   - Keep operating system patches up-to-date.
   - Disable File and Printer sharing services. If these services are
   required, use strong passwords or Active Directory authentication.
   - Restrict users’ ability (permissions) to install and run unwanted
   software applications. Do not add users to the local administrators’ group
   unless required.
   - Enforce a strong password policy and implement regular password
   changes.
   - Exercise caution when opening e-mail attachments even if the
   attachment is expected and the sender appears to be known.
   - Enable a personal firewall on agency workstations, configured to deny
   unsolicited connection requests.
   - Disable unnecessary services on agency workstations and servers.
   - Scan for and remove suspicious e-mail attachments; ensure the scanned
   attachment is its “true file type” (i.e., the extension matches the file
   header).
   - Monitor users’ web browsing habits; restrict access to sites with
   unfavorable content.
   - Exercise caution when using removable media (e.g., USB thumb drives,
   external drives, CDs, etc.).
   - Scan all software downloaded from the Internet prior to executing.
   - Maintain situational awareness of the latest threats and implement
   appropriate Access Control Lists (ACLs).

System owners and administrators should be checking every configuration
change before applying it, in order to avoid any incidents.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210722/f004f235/attachment.html>

More information about the BreachExchange mailing list