The U.S. government agencies and private organizations along with other critical infrastructures were being targeted by dozens of malware that have been detected to target Pulse secure devices with flaws and vulnerabilities.
According to the analysis report by CISA, around 13 malware were found on the compromised devices of Pulse Secure. Some of them were detected to drop even multiple files on the devices they targeted.
To deploy the backdoors, they needed initial access for the placing of web shells. To achieve this target, they exploited multiple vulnerabilities like the CVE-2019-11510, CVE-2021-2289, etc. Generally, the malicious files were detected as web shells which were used to activate the malware and then for running commands to gain remote access and persistence along with utilities.
Some additional insights to the attack-
The CISA executed a detailed analysis of a large number of files that were being targeted on the infected Pulse Secure devices. They found that some of the files were just modified versions of the legitimate Pulse Secure Script.
In Aril, Chinese hackers were attempting to gain the initial entry to the Pulse Secure devices by exploiting the CVE-2021-22893 vulnerability in the devices.
It has been recommended by the federal agencies to review the reports that revealed the indicator of compromise of the Pulse secure devices. They are advised to gain a detailed knowledge of the TTP’s of the hacker.