When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
Threat actors have been targeting Pulse Secure devices at US Government agencies, key infrastructure entities, and numerous private sector companies since at least June 2020.
Adversaries gained access to the initial entry by exploiting various vulnerabilities including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243 and CVE-2021-2289 and gaining backdoor access by installing webshells.
CISA today released analysis findings for 13 malware pieces discovered on hacked Pulse Secure devices, some were composed of multiple files. Administrators are recommended to examine the reports for signs of breach and learn about the threat actor’s tactics, methods, and procedures (TTPs).
CISA also discovered that all the files it examined infected Pulse Connect Secure devices, with some of them being modified versions of the real Pulse Secure scripts.
Webshells from the malicious files were used to activate and run remote commands for persistence and remote access.
According to CISA, one of the malware samples is a “modified version of a Pulse Secure Perl Module,” specifically DSUpgrade.pm, a crucial component in the system upgrade operation, which the attackers altered into a webshell (ATRIUM) to extract and execute remote commands.
CISA discovered the following valid Pulse Secure files that had been modified by the attacker:
licenseserverproto.cgi (STEADYPULSE)
tnchcupdate.cgi
healthcheck.cgi
compcheckjs.cgi
DSUpgrade.pm.current
DSUpgrade.pm.rollback
clear_log.sh (THINBLOOD LogWiper Utility Variant)
compcheckjava.cgi (hardpulse)
meeting_testjs.cgi (SLIGHTPULSE)
The majority of the files discovered by CISA on hacked Pulse Secure devices were undetected by antivirus solutions at the time of the investigation, and only one of them was found on the VirusTotal file scanning platform, which was added two months ago and detected by one antivirus engine as a variant of ATRIUM webshell.
CISA recommends the following:
Keep your antivirus signatures and engines up to date
Keep your operating system patched current
Disable sharing services for files and printers. Use strong password or Active Directory authentication if these services are required.
Block user’s ability (permissions) to install and run unwelcome software applications. If you don’t have to, don’t add users to the local administrators group.
Enforce a strong password policy and change your passwords on a regular basis.
Even if the attachment is expected and the sender appears to be recognized, use extreme caution while opening e-mail attachments.
On agency workstations, enable a personal firewall that is configured to reject unsolicited connection requests.
On agency desktops and servers, disable unneeded services.
Scan for and delete suspicious e-mail attachments; make sure the scanned attachment is a “true file type” (i.e., the extension matches the file header).
User’s web browsing patterns should be monitored, and access to sites with unpleasant material should be restricted.
When working with removable media devices (e.g., USB thumb drives, external drives, CDs, etc.)
Before running any software you downloaded from the internet, scan them to make sure they are safe.
Maintain situational awareness of the most recent attacks and use Access Control Lists (ACLs) as needed.
Antivirus alone is not enough to protect your organization, and the undetected malware mentioned above proves this point. Engage with SpearTip to allow our engineers to have full vision over your devices. We specialize in protecting organizations from threats that can evade general security tools.
The ShadowSpear platform, our endpoint detection and response tool, can detect any threats and block them from gaining access to your network. This platform working alongside our 24/7 Security Operations Center is the advancement your company needs to continue business operations without being harmed by constant threats.
The Security Operations Center as a Service (SOCaaS) combines human intelligence and response with a state-of-the-art detection tool in ShadowSpear. You’ll have full cybersecurity protection and access to our 24/7 engineers at any moment of the day.
If you’re experiencing a breach, call our response hotline at 833.997.7327.
View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.
ShadowSpear Platform
Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.
ShadowSpear Demo
Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.
