On July 21st, the US Cybersecurity and Infrastructure Security Agency (CISA) released thirteen malware analysis reports covering webshells and utilities used by threat actors after exploiting vulnerabilities in Pulse Connect Secure, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and CVE-2021-2289. “Since at least June 2020, Pulse Secure devices . . . have been the target of attacks from threat actors,” according to CISA, and the released reports cover the initial finding from some of these incidents. Most of the initial findings are webshells, but others are utilities that will install a script to steal the credentials of users who log in successfully in the case of MAR-10337580-2.v1. Others would attempt to use creative means to maintain persistence through a malicious replacement of the “umount” system utility, in the case of MAR-10337580-1.v1.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is