AA20-107A - Continued Threat Actor Exploitation Post Pulse Secure VPN Patching
Indicators
The Cybersecurity and Infrastructure Security Agence (CISA) has produced an update to Activity Alert AA20-010A - Continued Exploitation of Pulse Secure VPN Vulnerability, which advised organizations to immediately patch CVE-2019-11510. The update provides new detection methods for this activity, including a CISA-developed tool that helps network adminstrators search for indicators of compromise (IOCs) associated with exploitation of CVE-2019-11510. This IOC package contains indicators CISA analysts have observed related to this activity.
CISA analysts observed IP "38.68.36.112 making unauthorized connections over port 9090 and 8088, and believe it to be part of threat actor attack infrastructure. The other IP address indicators provided in this package are low quality (mostly tor nodes) but were observed exploiting the vulnerability. This activity was observed as recently as February 15, 2020.
CISA analysts observed a cyber threat actor renaming portable executable (PE) files in an attempt to subvert application whitelisting or antivirus (AV) protections.
CISA analysts also observed a threat actor "living off the land" and utilizing "C:\Python\ArcGIS" to house malicious PE files, as well as using natively installed Python.
CISA observed the following user agents with this activity:
- Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0
- Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
- Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55[.]0.2883.87 Safari/537.36
For more information about this activity, to include detection and mitigation recommendations, see CISA Activity Alert, AA20-107A - Continued Threat Actor Exploitation Post Pulse Secure VPN Patching.
//node() | //@*
DISCLAIMER: This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is distributed as TLP:WHITE: Disclosure is not limited. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.
2020-04-15T00:00:00
Malicious IPv4 Indicator
IP Watchlist
45.125.65.45
Malicious IPv4 Indicator
IP Watchlist
223.167.32.74
Malicious IPv4 Indicator
IP Watchlist
185.220.101.71
Malicious IPv4 Indicator
IP Watchlist
103.208.220.123
Malicious IPv4 Indicator
IP Watchlist
38.68.36.112
Malicious File Indicator
File Hash Watchlist
g.py
MD5
61EEBF58E892038DB22A4D7C2EE65579
Malicious File Indicator
File Hash Watchlist
t.py
MD5
5669B1FA6BD8082FFE306AA6E597D7F5
Malicious IPv4 Indicator
IP Watchlist
104.244.76.189
Malicious IPv4 Indicator
IP Watchlist
212.83.166.62
Malicious IPv4 Indicator
IP Watchlist
95.211.230.211
Malicious IPv4 Indicator
IP Watchlist
51.255.45.144
Malicious IPv4 Indicator
IP Watchlist
87.120.254.98
Malicious IPv4 Indicator
IP Watchlist
185.220.100.247
Malicious IPv4 Indicator
IP Watchlist
185.4.135.135
Malicious IPv4 Indicator
IP Watchlist
54.39.22.213
Malicious IPv4 Indicator
IP Watchlist
104.244.76.245
Malicious IPv4 Indicator
IP Watchlist
185.220.101.72
Malicious IPv4 Indicator
IP Watchlist
5.199.135.107
Malicious IPv4 Indicator
IP Watchlist
185.220.101.77
Malicious IPv4 Indicator
IP Watchlist
169.197.97.34
Malicious IPv4 Indicator
IP Watchlist
193.110.157.151
Malicious IPv4 Indicator
IP Watchlist
158.174.122.199
Malicious IPv4 Indicator
IP Watchlist
62.210.37.15
Malicious IPv4 Indicator
IP Watchlist
209.141.32.33
Malicious IPv4 Indicator
IP Watchlist
45.14.148.96
Malicious IPv4 Indicator
IP Watchlist
104.244.72.115
Malicious IPv4 Indicator
IP Watchlist
109.70.100.25
Malicious IPv4 Indicator
IP Watchlist
199.249.230.104
Malicious IPv4 Indicator
IP Watchlist
162.247.74.74
Malicious IPv4 Indicator
IP Watchlist
23.129.64.214
Malicious IPv4 Indicator
IP Watchlist
23.129.64.194
Malicious IPv4 Indicator
IP Watchlist
162.247.74.216
Malicious IPv4 Indicator
IP Watchlist
23.129.64.180
Malicious IPv4 Indicator
IP Watchlist
185.220.101.24
Malicious IPv4 Indicator
IP Watchlist
185.220.101.62
Malicious IPv4 Indicator
IP Watchlist
185.220.101.70
Malicious IPv4 Indicator
IP Watchlist
46.165.245.154
Malicious IPv4 Indicator
IP Watchlist
62.102.148.68
Malicious IPv4 Indicator
IP Watchlist
94.102.51.78
Malicious IPv4 Indicator
IP Watchlist
109.70.100.23
Malicious IPv4 Indicator
IP Watchlist
130.149.80.199
Malicious IPv4 Indicator
IP Watchlist
195.176.3.20
Malicious IPv4 Indicator
IP Watchlist
192.42.116.18
Malicious IPv4 Indicator
IP Watchlist
185.220.101.26
Malicious IPv4 Indicator
IP Watchlist
185.220.101.1
Malicious IPv4 Indicator
IP Watchlist
162.247.74.7
Malicious IPv4 Indicator
IP Watchlist
162.247.74.202
Malicious IPv4 Indicator
IP Watchlist
185.220.102.8
Malicious IPv4 Indicator
IP Watchlist
109.70.100.20
Malicious IPv4 Indicator
IP Watchlist
178.165.72.177
Malicious IPv4 Indicator
IP Watchlist
185.107.47.171
Malicious IPv4 Indicator
IP Watchlist
185.220.101.28
Malicious IPv4 Indicator
IP Watchlist
185.220.101.32
Malicious IPv4 Indicator
IP Watchlist
185.220.101.15
Malicious IPv4 Indicator
IP Watchlist
162.247.74.204
Malicious IPv4 Indicator
IP Watchlist
77.247.181.162
Malicious IPv4 Indicator
IP Watchlist
95.128.43.164
Malicious IPv4 Indicator
IP Watchlist
204.17.56.42
Malicious IPv4 Indicator
IP Watchlist
176.10.104.240
Malicious IPv4 Indicator
IP Watchlist
192.160.102.165
Malicious IPv4 Indicator
IP Watchlist
178.20.55.18
Malicious IPv4 Indicator
IP Watchlist
89.31.57.5
Malicious IPv4 Indicator
IP Watchlist
46.182.106.190
Malicious IPv4 Indicator
IP Watchlist
77.247.181.165