When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
ShadowSpear® is an unparalleled resource that defends your organizations against advanced cyber threats and attacks 24/7/365.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
The US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning today that over a dozen malware variants were found on exploited Pulse Secure devices that are mostly undiscovered by antivirus software.
Threat actors have been targeting Pulse Secure devices at US Government agencies, key infrastructure entities, and numerous private sector companies since at least June 2020.
Adversaries gained access to the initial entry by exploiting various vulnerabilities including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243 and CVE-2021-2289 and gaining backdoor access by installing webshells.
CISA today released analysis findings for 13 malware pieces discovered on hacked Pulse Secure devices, some were composed of multiple files. Administrators are recommended to examine the reports for signs of breach and learn about the threat actor’s tactics, methods, and procedures (TTPs).
CISA also discovered that all the files it examined infected Pulse Connect Secure devices, with some of them being modified versions of the real Pulse Secure scripts.
Webshells from the malicious files were used to activate and run remote commands for persistence and remote access.
According to CISA, one of the malware samples is a “modified version of a Pulse Secure Perl Module,” specifically DSUpgrade.pm, a crucial component in the system upgrade operation, which the attackers altered into a webshell (ATRIUM) to extract and execute remote commands.
CISA discovered the following valid Pulse Secure files that had been modified by the attacker:
The majority of the files discovered by CISA on hacked Pulse Secure devices were undetected by antivirus solutions at the time of the investigation, and only one of them was found on the VirusTotal file scanning platform, which was added two months ago and detected by one antivirus engine as a variant of ATRIUM webshell.
CISA recommends the following:
Antivirus alone is not enough to protect your organization, and the undetected malware mentioned above proves this point. Engage with SpearTip to allow our engineers to have full vision over your devices. We specialize in protecting organizations from threats that can evade general security tools.
The ShadowSpear platform, our endpoint detection and response tool, can detect any threats and block them from gaining access to your network. This platform working alongside our 24/7 Security Operations Center is the advancement your company needs to continue business operations without being harmed by constant threats.
The Security Operations Center as a Service (SOCaaS) combines human intelligence and response with a state-of-the-art detection tool in ShadowSpear. You’ll have full cybersecurity protection and access to our 24/7 engineers at any moment of the day.
If you’re experiencing a breach, call our response hotline at 833.997.7327.
Identify, neutralize, and counter cyberattacks - provide confidence in your security posture
24/7 Breach Response: US/CAN: 833.997.7327
Main Office: 800.236.6550
1714 Deer Tracks Trail, Suite 150
St. Louis, MO 63131
©2024 SpearTip, LLC. All rights reserved.