These 13 malware variants are used to hack and take control of Pulse Secure devices. Make sure your antivirus can detect them

In its most recent report, the Cybersecurity and Infrastructure Security Agency (CISA) alerted users of Pulse Secure devices to the discovery of at least 13 malware samples found on affected devices. These devices have been the target of frequent security incidents at private companies and government organizations in the U.S. since at least 2020.

These attacks are closely related to vulnerabilities tracked as CVE-2019-11510, CVE-2020-8260, and CVE-2021-2289, which allow threat actors to find initial access points and place webshells to gain backdoor access to the target system.

The agency published a detailed report on the 13 malware samples detected on the compromised devices so that IT administrators have the most updated information about this hacking campaign, its attack methods and indicators of compromise.

As mentioned at the outset, all samples analyzed by CISA were detected on Pulse Connect Secure devices and are mostly modified versions of legitimate scripts. These acted as webshells for the execution of remote commands that allow gaining persistence and obtain remote access to vulnerable systems, in addition to other utilities.

One of the malware samples analyzed in greater detail is described by CISA as a modified version of the Pulse Secure Perl module, the cornerstone in the system update process on these devices. Threat actors managed to modify the file to execute arbitrary commands remotely.

Among the legitimate Pulse Secure files modified by hackers are:

  • licenseserverproto.cgi (STEADYPULSE)
  • tnchcupdate.cgi
  • healthcheck.cgi
  • compcheckjs.cgi
  • DSUpgrade.pm.current
  • DSUpgrade.pm.rollback
  • clear_log.sh (THINBLOOD LogWiper Utility Variant)
  • compcheckjava.cgi (hardpulse)
  • meeting_testjs.cgi (SLIGHTPULSE)

An earlier report by security firm Mandiant had also noted the detection of multiple incidents related to the modification of legitimate files in Pulse Secure. Mandiant researchers attributed this hacking campaign to a Chinese APT group dedicated to exploiting CVE-2021-22893. These reports mentioned that hackers were able to modify pulse secure system files to extract the credentials of affected users.

The Agency concluded its report by listing some security recommendations to mitigate the risk of attack:

  • Keep signatures and antivirus solutions up-to-date
  • Keep your operating system up to date
  • Disable file and printer sharing services or use them only with strong passwords or with Active Directory authentication
  • Restrict users’ permissions to install and run unwanted software applications and maintain a small number of administrative users

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.