Level 78
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an alert today about more than a dozen malware samples found on exploited Pulse Secure devices that are largely undetected by antivirus products.

Since at least June 2020, Pulse Secure devices at U.S. government agencies, critical infrastructure entities, and various private sector organizations have been the target of attacks from threat actors.

Adversaries leveraged multiple vulnerabilities (CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, CVE-2021-2289) for initial entry and placed webshells for backdoor access.
Today, CISA published analysis reports for 13 malware pieces, some of them comprised of multiple files, found on compromised Pulse Secure devices. Administrators are strongly encouraged to review the reports for indicators of compromise and to learn about the threat actor’s tactics, techniques, and procedures (TTPs).

All the files that CISA analyzed were found on compromised Pulse Connect Secure devices and some of them were modified versions of legitimate Pulse Secure scripts.

In most cases, the malicious files were webshells for activating and running remote commands for persistence and remote access, but utilities were also present. [...]