Building on its ongoing guidance involving actively exploited vulnerabilities in Ivanti's Pulse Secure products, the Cybersecurity and Infrastructure Security Agency released 13 malware analysis reports Wednesday.
Hackers had been exploiting a chain of vulnerabilities in Pulse Secure products, including a zero-day, for at least 10 months by the time CISA first issued an alert in April of this year. That alert was soon amended to include new vulnerabilities and a list of TTPs. Ivanti has been working with CISA throughout the process.
The since-patched vulnerabilities ultimately offered hackers remote code execution. The vulnerabilities were found in Pulse Connect Secure VPNs up to version 9.1R.11.4.
On April 20, FIreEye was the first to report the active threat against Pulse Secure, primarily focused on the defense industrial base, which they believed APT actors out of China were likely behind.
The malware profiled by CISA cover a wide array of functions, though many appear to be different Pulse Secure scripts modified to load web shells. According to the CISA analysis, commercial antivirus programs only caught five of the 13 samples.
CISA closes each malware analysis report with detailed guidance to abide by traditional cyber hygiene standards.
Ivanti purchased Pulse Secure in December, five months after the hacker campaign began.