Cybersecurity and Infrastructure Security Agency has released a detailed five malware report targeting Pulse Secure Devices . CISA has also released Malware analysis reports(MARs) containing threat actor tactics, techniques and procedures along with indicators of compromise related to the threat activity.
According to the reports published, threat actors seems to be exploiting multiple vulnerabilities inclusive of CVE-2021-22893 and CVE-2021-22937. On which, CVE-2021-22893 is a buffer overflow issue which allows arbitrary code execution by the authenticated attacker with maliciously crafted payload with the CVSS score of 10.
On the other hand, CVE-2021-22937 could allow an authenticated administrator to perform a file write via maliciously crafted archive uploaded in the administrator web interface. The vulnerability also received a CVSS score of 9.1 for which the vendor has addressed it via the updates.
“Some of the files consist of shell scripts designed to modify a Pulse Secure Perl Common Gateway Interface (CGI) script file in place to become a webshell. One file is designed to intercept certificate-based multi-factor authentication. The other files are designed to check, parse and decrypt incoming web request data. This analysis is derived from malicious files found on Pulse Connect Secure devices.” reads the blogpost.
CISA has released the detailed recommendations which should be followed by the users and administrator:
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up-to-date.
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
- Enforce a strong password policy and implement regular password changes.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Disable unnecessary services on agency workstations and servers.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
- Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
- Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
- Scan all software downloaded from the Internet prior to executing.
- Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
Submitted files List:
CISA has also released the Indicators of Compromise for the reported vulnerability in Stix Format.