In the latest developments, Pulse Secure VPN devices have been found to be targeted by four new malware tools. Reportedly, it has also been found that this malware has the potential to exploit a critical vulnerability within the VPN devices with a severity score of 10/10 on the CVSS scale.
Critical Pulse Secure VPN vulnerability:
“Mandiant is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices,” noted the involved Mandiant security researchers.
Apparently, these malware families are linked to the authentication bypass and backdoor access to these devices.
However, the Mandiant researchers have noted that these are not related to each other but rather, have been observed during the analysis of the pulse secure VPN.
The highly critical vulnerability that is reportedly being exploited by the new lot of malware tools is tracked as CVE-2021-22893.
The CVE description of the vulnerability is noted as the following:
Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.
Detailing the impact of the critical vulnerability, successful exploitation of the vulnerability can facilitate malicious actors with the ability to perform remote arbitrary code execution.
Pulse Secure devices have also been found to be prey to being sent security flaws by the new malware tools.
Mandiant also recognized that these malware tools also have the malicious abilities that steal user credentials from the Pulse Secure VPN devices.
Perhaps it is most concerning that the data it can acquire is the user’s Pulse Secure VPN login. However, the security firm hasn’t released other details if there are other credentials that can be stolen.
The list of malware tools that have been found are as follows:
- Rapidpulse (A webshell that exists as a modification)
- Bloodmine (This malicious equipment can access PSC log files and acquire logins, message IDs, and web requests)
- Bloodbank (Designed for credential theft and parses files containing password hashes or plaintext credentials)
- Cleanpulse (A memory patching tool for preventing specific log events)