The U.S. CISA published five malware analysis reports (MARs) related to samples found on compromised Pulse Secure devices.null
CISA has analyzed five malware samples related to exploited Pulse Secure devices. CISA encourages users and administrators to review the following five malware analysis reports (MARs) for threat actor tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), and review CISA’s Alert.
- MAR-10333243-3.v1: Pulse Connect Secure
- MAR-10334057-3.v1: Pulse Connect Secure
- MAR-10336935-2.v1: Pulse Connect Secure
- MAR-10338401-2.v1: Pulse Connect Secure
- MAR-10339606-1.v1: Pulse Connect Secure
Threat actors are targeting Pulse Connect Secure VPN devices exploiting multiple flaws, including CVE-2021-22893 and CVE-2021-22937
CVE-2021-22893 is a buffer overflow issue in Pulse Connect Secure Collaboration Suite prior b9.1R11.4 that allows remote authenticated attackers to execute arbitrary code as the root user via maliciously crafted meeting room.
CVE-2021-22937 is a high-severity remote code execution vulnerability that resides in the admin web interface of Pulse Connect Secure. A remote attacker could exploit the flaw to overwrite arbitrary files and gain code execution with root privileges. The flaw received a CVSS score of 9.1.
Two of the samples analyzed by CISA in the MARs are tainted Pulse Secure files retrieved from infected devices that were used to harvest credentials. One of them implements backdoor capabilities, allowing threat actors to establish remote access to the compromised device.
Another file included a malicious shell script that could log a valid user’s username and password credentials into a file stored on disk. This allows attackers to parse incoming web request data, while another file could be used to intercept certificate based MFA.
The fifth sample analyzed by the researchers includes two Perl scripts that allow attackers to execute commands, a Perl library, a Perl script, and a shell script that manipulate and execute the ‘/bin/umount’ file.