Dozens of Malware on Pulse Secure Devices Targeting U.S. Organizations

What has happened?

• According to the agency, the attackers are abusing multiple vulnerabilities, including CVE-2020-8243, CVE-2019-11510, CVE-2021-2289, and CVE-2020-8260, for initial access to placing web shells for deploying backdoors.
• In most of the instances, the malicious files were spotted as web shells used for activating and then executing remote commands for remote access and persistence, along with utilities.
• In one case, the agency discovered a tampered version of a Pulse Secure Perl Module, which was modified into an Atrium web shell. Named DSUpgrade[.]pm, this was the main file in the system upgrade process.

Additional insights

• The list of genuine Pulse Secure files discovered by the agency modified by attackers included licenseserverproto[.]cgi (STEADYPULSE), tnchcupdate[.]cgi, healthcheck[.]cgi, and compcheckjs[.]cgi.
• Other files are DSUpgrade[.]pm[.]current, DSUpgrade[.]pm[.]rollback, clear_log[.]sh (variant of THINBLOOD LogWiper), compcheckjava[.]cgi (Hardpulse), and meeting_testjs[.]cgi (SLIGHTPULSE).
• Some of these files were tampered with for malicious actions in incidents that occurred last year. 
• In April, Chinese hackers were believed to be abusing CVE-2021-22893 in Pulse Connect Secure gateway for initial entry.

Conclusion