[BreachExchange] CISA Details Additional Malware Targeting Pulse Secure Appliances
Sophia Kingsbury
sophia.kingsbury at riskbasedsecurity.com
Thu Aug 26 08:25:32 EDT 2021
https://www.securityweek.com/cisa-details-additional-malware-targeting-pulse-secure-appliances
Adversaries have been targeting Pulse Connect Secure VPN appliances to
exploit various vulnerabilities, including a couple of security holes
discovered earlier this year, specifically CVE-2021-22893 and
CVE-2021-22937.
In April this year, CISA released an alert on attacks targeting Pulse
Secure devices, complemented with indicators of compromise (IOCs) and
information on the malware used by attackers, and this week the agency
published details on five additional malware samples.
Two of the samples, CISA reveals, are maliciously modified Pulse Secure
files retrieved from infected devices, both of which function as credential
harvesters. One of the files also acts as a backdoor, providing attackers
with remote access to the compromised device.
Another file contained a malicious shell script that could log usernames
and passwords. A third sample involved multiple files, including some
consisting of a shell script that would modify a Pulse Secure file to
become a webshell. One file was designed to intercept certificate-based
multi-factor authentication, while others would parse incoming web request
data.
The fifth sample consisted of two Perl scripts designed to execute attacker
commands, a Perl library, a Perl script, and a shell script designed to
manipulate and execute the '/bin/umount' file.
CISA’s five malware analysis reports (MARs) include details on the tactics,
techniques, and procedures (TTPs) employed by adversaries, as well as IOCs.
The agency encourages users and administrators to review the provided
information, as well as previously published alerts.
Pulse Secure, which was acquired last year by Ivanti, has released a tool
that helps customers identify compromised appliances.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210826/a39e472f/attachment.html>
More information about the BreachExchange
mailing list