An alert was released by the US CISA Agency about the malware samples identified in the hacked Pulse Secure Devices which are undetected by various well-known Antivirus products.
“To gain initial access, the threat actor is leveraging multiple vulnerabilities, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and the newly disclosed CVE-2021-22893. The threat actor is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence.” stated in the alert.
CISA also analyzed the files which are identified in the compromised Pulse Connect Secure devices, Interestingly some of them are with altered version of legitimate scripts which could be mostly webshells for activating and executing commands remotely via persistent connection.
Below are the list of legitimate file name which could have modified by the attacker:
- licenseserverproto.cgi (STEADYPULSE)
- clear_log.sh (THINBLOOD LogWiper Utility Variant)
- compcheckjava.cgi (hardpulse)
- meeting_testjs.cgi (SLIGHTPULSE)
At the time of writing this news, most of the disguised files on compromised servers were not detected by the AV engines in the VirusTotal AV scanning platform, (link)
CISA Agency recommends the below listed best practices for strengthening the Infrastructures:
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up-to-date.
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
- Enforce a strong password policy and implement regular password changes.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Disable unnecessary services on agency workstations and servers.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
- Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
- Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
- Scan all software downloaded from the Internet prior to executing.
- Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
- Use the latest version of Pulse Secure available from the vendor.
CyberWorkx News readers can also check out the National Institute of Standards andTechnology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops” for additional information on handling incidents related to the Malware.