April 21, 2021

This is a huge one – Pulse Secure 0-day


The attackers are **actively exploiting** this vulnerability through a well defined kill chain that permits to:

* Trojanize shared objects with malicious code to **log credentials** and **bypass authentication** flows, including multifactor authentication requirements. We track these trojanized assemblies as SLOWPULSE and its variants.
* **Inject webshells** we currently track as RADIALPULSE and PULSECHECK into legitimate Internet-accessible Pulse Secure VPN appliance administrative web pages for the devices.
* **Toggle** the filesystem between Read-Only and **Read-Write** modes to allow for file modification on a typically Read-Only filesystem.
* Maintain **persistence** across VPN appliance general upgrades that are performed by the administrator.
* Unpatch modified files and delete utilities and scripts after use to **evade detection**.
* **Clear relevant log** files utilizing a utility tracked as THINBLOOD based on an actor defined regular expression.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.