On July 21st, the US Cybersecurity and Infrastructure Security Agency (CISA) released thirteen malware analysis reports covering webshells and utilities used by threat actors after exploiting vulnerabilities in Pulse Connect Secure, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and CVE-2021-2289. “Since at least June 2020, Pulse Secure devices . . . have been the target of attacks from threat actors,” according to CISA, and the released reports cover the initial finding from some of these incidents. Most of the initial findings are webshells, but others are utilities that will install a script to steal the credentials of users who log in successfully in the case of MAR-10337580-2.v1. Others would attempt to use creative means to maintain persistence through a malicious replacement of the “umount” system utility, in the case of MAR-10337580-1.v1.
With the continued exploitation of Pulse Secure devices, it is becoming more important to include application and system logs from these devices when measuring one’s threat landscape. If patching is not possible, then including logs from Pulse Secure devices and shipping them to the centralized log store can be invaluable to a Security Operations Center to detect exploitation early in the process. Building detections around available exploits can put organizations ahead of low-skilled attackers who merely just take the publicly-available proof-of-concept code and use it to exploit exposed devices. However, the best way to prevent these attacks is to implement patches that effectively mitigate the vulnerabilities.