GRIMM Blog

Pulse Connect Secure vulnerability CVE-2021-22893 and other old vulnerabilities are being actively exploited. While GRIMM engineers were not able to obtain a device or the firmware for a full analysis, the device in question looks like a Linux-based rack-mounted server that sits inside the firewall and mediates all kinds of access for clients accessing it via a web interface. Based on the available information, it appears weaknesses in the web application within the device have been the root of multiple problems, including the most recent vulnerability. Takeaway This was not a supply chain attack, this was a sophisticated actor becoming intimately familiar with a target and exploiting it persistently, continuing to find new vulnerabilities and tailoring their malware to blend in with the software. The signs are subtle but detectable: changes in hashes on the device, strange authentication behavior appearing in logs, small changes in network traffic such as new HTTP verbs and extr

Introduction Cleaning your domain clock Sometimes we grow to like the old software we’ve become familiar with over the years, but because as users we only see the facade of an interface and functionality, we don’t know what risks may exist in something as simple as a clock. The bar is high for enterprise software: we have to expect that our software accomplishes all of its tasks in a manner that doesn’t put us at risk. Today we dive into a venerable piece of software that appears to carry out its underappreciated task, because despite the engineering behind its functionality, it contained a classic software flaw. Domain Time II from Greyware Automation Products, Inc. is enterprise-grade time synchronization software, including client and server software as well as testing, administration, and auditing capabilities. Everyone has probably had a moment when they realized that the clocks on two different devices were off by a few minutes (or more), but some businesses are particularly s