Cyberterrorists are launching a new webshells malware campaign by targeting vulnerabilities in Pulse Connect Secure network connectivity products. To secure your organization, the Cybersecurity and Infrastructure Security Agency recommends 10 tips for users and administrators on implementing mitigation measures.
Cybercriminals are placing webshells on the Pulse Connect Secure appliances, which allow them to bypass authentication and multifactor authentication, log passwords and be persistent through network patching. The cybersecurity agency has already assisted several companies that have become victims of webshells campaigns in these attacks.
Ten guidelines to protect your organization against webshells attacks:
- Review and run the Pulse Secure Connect integrity tool until the patch has been deployed and the threats are mitigated.
- Update to the latest software version, which contains security enhancements.
- Once the network has been preserved, consider disabling the external-facing interface and re-enabling it once the threats have been reduced.
- If evidence of unauthorized activity is found, contact CISA with your findings and contact Pulse Connect for help capturing forensic information.
- Change all passwords associated with accounts that pass through the Pulse Connect environment and accounts that could be modified by an account accessible on the Pulse Connect network. Assume all of these accounts have been compromised.
- Factory resetting a Pulse Connect appliance will only remove malicious coding but will not remove the threat actor from the environment, and they can use compromised credentials to regain access even after the appliance is fully patched.
- Review logs for unauthorized authentication.
- Look for unauthorized applications and scheduled tasks in the environment.
- Ensure no new administrators were created, or non-privileged users were added to any privileged group.
- Remove any unauthorized programs by the organization from the network.
To read the full list of recommendations, click here.