The attacks targeting several known vulnerabilities in Pulse Connect Secure appliances are continuing, and adversaries are using a variety of new tools, scripts, and malware to gain initial access and maintain persistence and harvest credentials on compromised appliances.
The Cybersecurity and Infrastructure Security Agency (CISA) has been tracking the exploitation activity and analyzing the tools and techniques various attackers have been using, and has released analyses of five new pieces of malware used in attacks on PCS appliances. Two of the newly analyzed tools are designed to gather valid user credentials when users login to compromised appliances, while others provide remote command execution for the attacker.
“To gain initial access, the threat actor is leveraging multiple vulnerabilities, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and the newly disclosed CVE-2021-22893. The threat actor is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence. The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching,” CISA’s advisory says.
CISA has published 18 separate malware analysis reports on tools used in attacks against PCS appliances, and the five new ones released Monday show that threat actors are continuing to develop additional malware for use in these operations. PCS appliances are widely deployed VPN boxes that are used in many large enterprises and government agencies, both in the United States and around the world.
Two of the vulnerabilities that attackers are exploiting in these operations are from 2019 and 2020, respectively, while the other was disclosed in early 2021. The newer one, CVE-2021-22893, is actually a collection of several use-after-free flaws in PCS before 9.1R11.4 that allow remote code execution. The company resolved those vulnerabilities several months ago, but there are still plenty of vulnerable appliances online, as the attacks against these bugs are ongoing.
One of the new pieces of malware that CISA analyzed is a simple script, but it enables the attacker to gather valid credentials.
“This file contains a malicious shell script recovered from a compromised Pulse Secure device. This malicious script is designed to modify the Pulse Secure login.cgi script effectively causing it to log a valid user's username and password credentials into a file stored on disk,” CISA’s analysis says.
One of the other reports is somewhat more troubling, though. It includes details of four separate files used in current attacks, one of which can be used to help bypass multi-factor authentication.
“Some of the files consist of shell scripts designed to modify a Pulse Secure Perl Common Gateway Interface (CGI) script file in place to become a webshell. One file is designed to intercept certificate-based multi-factor authentication. The other files are designed to check, parse and decrypt incoming web request data,” CISA’s analysis says.
Organizations with PCS deployments should ensure that they are updated to the current version. Ivanti has also released a tool that can check the integrity of the PCS software.