CISA reports that a threat actor was able to compromise the network of a federal agency, create a reverse proxy, and install malware. The attack relied on compromised credentials for initial access, and resulted in multi-stage malware being installed on the affected agency’s systems, without triggering in-place anti-malware protections. CISA speculates that the perpetrator may have obtained the necessary credentials using a known vulnerability in Pulse Secure VPN software, which should have been patched in April 2019. They achieved persistent access through an SSH tunnel/reverse SOCKS proxy, and executed a unique, multi-stage malware to drop files.
