Hackers are actively exploiting a critical vulnerability (CVE-2019-11510) in enterprise favourite Pulse Secure VPN software, delivering ransomware and causing significant disruption. Thousands of businesses appear to be running unpatched software, according to internet scanning tools. (Also see Pulse Secure response bottom of page explaining how a patch has been available since April last year)
Despite warnings from US CISA, US National Security Agency, and the UK’s National Cyber Security Centre dating back to October last year, a scan on 4 January by security firm Bad Packets found 3,825 Pulse Secure VPN servers that hadn't been patched. Of these, the US had the largest exposure with 1,316 vulnerable Pulse Secure VPN servers, followed by Japan (394) and the UK (221).
Week 19 CVE-2019-11510 Scan Results— Bad Packets Report (@bad_packets) January 4, 2020
• Vulnerable Pulse Secure VPN servers detected: 3,825
Our latest vulnerability scan results are freely available for authorized CERT, CSIRT, and ISAC teams.
Submit request here: https://t.co/vlS08kyQo2#cybersecurity #infosec #threatintel
It is suspected that a number of recent business compromises may be connected to the vulnerability, as highlighted by researcher Kevin Beaumont in a blog post detailing the timeline of events.
Most recently, Travelex suffered a ‘malware attack’, which took the website offline on 2 January and hindered forex trading with partner banks including Barclays, First Direct, H&T Pawnbrokers, HSBC, Sainsburys, Tesco and Virgin Travel Money.
Beaumont noted that Travelex was running seven unpatched Pulse Secure servers just before the incident.
We notified Travelex about their vulnerable Pulse Secure VPN servers on September 13, 2019.— Bad Packets Report (@bad_packets) 4 January 2020
No response. pic.twitter.com/lCjk7IY3OM
"I’ve seen two notable incidents where they believed Pulse Secure was the cause of a breach, and used to deliver Sodinokibi (REvil) ransomware. In both cases the organisations had unpatched Pulse Secure systems, and the footprint was the same — access was gained to the network, domain admin was gained, VNC was used to move around the network (they actually installed VNC via psexec, as java.exe), and then endpoint security tools were disabled and Sodinokibi was pushed to all systems via psexec," he commented.
Pulse Secure issued an advisory for the Zero Trust VPN product way back in April 2019, warning customers that an out-of-cycle patch fixed several critical security threats, including an authentication by-pass vulnerability that allows an unauthenticated user to perform a remote arbitrary file access on the Pulse Connect Secure gateway.
The advisory also includes a remote code execution vulnerability that can allow an authenticated administrator to perform remote code execution on Pulse Connect Secure and Pulse Policy Secure gateways.
However, patching has been spotty, leaving large numbers of enterprises vulnerable to a widening range of threats, including Advanced Persistent Threat (APT) groups.
"These really are a set of vulnerabilities people need to patch urgently," said Chris Doman, a security researcher for AT&T Alien Labs.
"There were a number of state backed groups originally using these vulnerabilities, and now they have inevitably being picked up by targeted ransomware groups that are charging multi-million pound ransoms," he told told SC Media UK.
Over the weekend, the Saudi Arabian Government's National Cyber Security Centre also warned they had observed an Iranian group using these vulnerabilities to access organisations to enable destructive attacks."
Patching is a crucial part of any enterprise security stance, said David Kennefick, product architect at edgescan.
"The likes of CVE-2018-13379 & CVE-2019-11510 can give an attacker lots of valuable information about how best to deliver the ransomware. As we break into 2020, the same advice is still the best. Make sure you are using the latest safe version of the technologies you are employing. As has been the same for the previous edgescan stats reports, a strong patching policy can mitigate up to 70 percent of potential vulnerabilities before they even become an issue," he said.
Following publication Pulse Secure contacted SC with the response below:
"We appreciate researchers and the media informing enterprises of vulnerabilities and threats – in this case, the VPN vulnerability reported in August of 2019 is being exploited to distribute malware as published by ZDnet.
Pulse Secure publicly provided a patch fix on April 24, 2019 that should be immediately applied to the Pulse Connect Secure (VPN). The CVE2019-1150 vulnerability is highly critical. Customers that have already applied this patch would not be vulnerable to this malware exploit. As we have communicated earlier, we urge all customers to apply the patch fix.
Beyond issuing the original public Security Advisory – SA44101, but commencing that day in April, we informed our customers and service providers of the availability and need for the patch via email, in product alerts, on our community site, within our partner portal, and our customer support web site. Since then, our customer success managers have also been directly contacting and working with customers. In addition, Pulse Secure support engineers have been available 24x7, including weekends and holidays, to help customers who need assistance to apply the patch fix. We also offered assistance to customers to patch for these vulnerabilities even if they were not under an active maintenance contract. Customers that need assistance should contact Pulse Secure support using the contact information on the following URL - https://support.pulsesecure.
We have been updating the advisory as necessary. As of early January, the majority of our customers have successfully applied the patch fix and are no longer vulnerable. But unfortunately, there are organisations that have yet to apply this patch. Of the original VPN servers that Bad Packets reported as at risk back in August, we estimate that less than 10 percent of all customers remain vulnerable. We continue to request customers to apply the April patch fix to their VPN systems – this server-side patch does not require updating the client.
Threat actors will take advantage of the vulnerability that was reported on Pulse Secure, Fortinet and Palo Alto VPN products – and in this case, exploit unpatched VPN servers to propagate malware, REvil (Sodinokibi), by distributing and activating the Ransomware through interactive prompts of the VPN interface to the users attempting to access resources through unpatched, vulnerable Pulse VPN servers."