Distributed Workforce, Malware

CISA issues malware analysis reports from ongoing Pulse row

Members of the public observe military and commercial aircraft at the Farnborough Airshow on July 20, 2010 in Farnborough, England. The defense industrial base were the primary target in attacks leveraging Pulse Secure discovered in the spring. (Photo by Dan Kitwood/Getty Images)

Building on its ongoing guidance involving actively exploited vulnerabilities in Ivanti's Pulse Secure products, the Cybersecurity and Infrastructure Security Agency released 13 malware analysis reports Wednesday.

Hackers had been exploiting a chain of vulnerabilities in Pulse Secure products, including a zero-day, for at least 10 months by the time CISA first issued an alert in April of this year. That alert was soon amended to include new vulnerabilities and a list of TTPs. Ivanti has been working with CISA throughout the process.

The since-patched vulnerabilities ultimately offered hackers remote code execution. The vulnerabilities were found in Pulse Connect Secure VPNs up to version 9.1R.11.4.

On April 20, FIreEye was the first to report the active threat against Pulse Secure, primarily focused on the defense industrial base, which they believed APT actors out of China were likely behind.

The malware profiled by CISA cover a wide array of functions, though many appear to be different Pulse Secure scripts modified to load web shells. According to the CISA analysis, commercial antivirus programs only caught five of the 13 samples.

CISA closes each malware analysis report with detailed guidance to abide by traditional cyber hygiene standards.

Ivanti purchased Pulse Secure in December, five months after the hacker campaign began.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.