PULSE SECURE VPN VULNERABILITY CODE
It allows an unauthenticated user to run arbitrary code remotely. Though the exploit requires admin privileges authentication, it can be triggered by simply clicking on a malicious link by the admin. It is a command injection vulnerability found in the downloadlicenses.cgi file of the admin portal. The Pulse, Secure RCE vulnerability, CVE-2020-8218, was identified in version 9.1R7. Among those is the Pulse Secure Connect VPN exploit: Pulse Secure SSL-VPN RCE Exploit Traffic (CVE-2020-8218) You will also notice that the malware downloads the payload from the same IPs as mentioned above:Ĭontinuing the analysis, we found that the binary footprint of the malware contains multiple exploit traffic. Generally, IoT malware tries to manipulate the watchdog and prevents the device from restarting. Gafgyt malware does the same.
The figure below shows a series of API calls. This is a useful indicator to allow categorization of the malware. The malware tries to print “bigB04t” as an output via a write API call.
The binaries belong to different architectures, i.e., ARM, MIPS, PowerPC, Renesas SH, Intel, Motorola m68k, and SPARC. This indicates that the malware author(s) target almost every architecture to maximize the success of their exploit.Īfter successful threat chain analysis of the binaries, we identified the following IPs responsible for downloading the malware. For example, DNS amplification flooding comes from Tsunami, as shown below: However, it borrows some functionality from other families. Most of the functionality (shown below) is the same as Gafgyt. AnalysisĪnalysis of the binaries led to the identification of a new variant of the Gafgyt family of malware. In this article, we will explore these new attacks. These malware binaries contain multiple exploit footprints, and they include CVE-2020-8218 (Pulse Secure). However, recently Avira’s IoT labs have seen a surge in IoT malware binaries. For example, vphishing (voice phishing) is widely used in an attempt to steal employees’ VPN credentials and access their organization’s network either directly or by taking advantage of platform vulnerabilities.ĭuring late summer 2020, a code execution vulnerability in Pulse Secure version 9.1 R7 was publicized and subsequently patched in version 9.1 R8. VPN technology, such as Pulse Secure’s Connect VPN, became a focus of attacks. When the world started to work-from-home, cybercriminals changed their focus.
0 kommentar(er)
