Cybercriminals have abused a widely known flaw concerning a Pulse Secure corporate VPN software to launch a piece of ransomware, a researcher reported.
The bug in issue, identified as CVE-2019-11510, is one of the many security holes that a team of researchers from Fortinet, Palo Alto Networks and Pulse Secure in corporate VPN software discovered last year. At the time of release, the researchers cautioned that bugs could be abused to penetrate corporate networks, obtain sensitive information, and conversations eavesdrop.
The first attempts against Fortinet and Pulse Secure devices to manipulate the weaknesses were discovered on August 21 and 22— the attempts mainly reflected scanning operation with the aim of detecting compromised systems.
Although patches are made available by the affected vendors, many organizations have still not applied them, allowing threat actors to take advantage of the vulnerabilities in their attacks.
In April 2019, months before specifics of the bug were revealed, Pulse Secure released a patch for CVE-2019-11510 and the company reported in late August that the update had been implemented by a number of its customers.
Nonetheless, at the time, Bad Packets, which tracks the internet for threats, estimated that more than 14,000 compromised Pulse Secure VPN endpoints were still being operated by more than 2,500 organizations. Even now, reports that there are still nearly 4,000 insecure computers, including more than 1,300 in the U.S.
Week 19 CVE-2019-11510 Scan Results
• Vulnerable Pulse Secure VPN servers detected: 3,825
Our latest vulnerability scan results are freely available for authorized CERT, CSIRT, and ISAC teams.
— Bad Packets Report (@bad_packets) 4 January 2020
CVE-2019-11510 is an unintended weakness to read files that can be abused to access private keys and passwords through unauthenticated attackers. They can use the credentials obtained in combination with a vulnerability in Pulse Secure products with remote command injection (CVE-2019-11539), enabling them to access private VPN networks.
In an effort to get affected organizations to patch their VPNs, Bad Packets worked with national computer emergency response teams and other organisations. In early October, the NSA and the National Cyber Security Center (NCSC) of the United Kingdom issued warnings warning organizations that the vulnerabilities affecting VPNs from Pulse Secure, Fortinet and Palo Alto Networks had been exploited in attacks, including by threat actors sponsored by the state.
UK-based cybersecurity researcher Kevin Beaumont reported a few days ago that he became aware of attacks exploiting the vulnerability of Pulse Secure to deliver a piece of ransomware file encryption tracked like Sodinokibi and REvil.
Sodinokibi, who was also delivered last year via a vulnerability on the Oracle WebLogic Server shortly after the flaw was patched, typically asks victims to pay thousands of dollars to recover their files.
Beaumont said he was informed of two “notable events” in which it was suspected that Pulse Secure was the source of the violation.
“In both cases, Pulse Secure systems were unpatched by the organizations and the footprint was the same— access to the network was gained, domain admin was gained, VNC was used to move around the network (they actually installed VNC via psexec as java.exe), and then endpoint security tools were disabled and Sodinokibi was pushed to all systems via psexec,” he explained in a blog post.
He also stated to have seen an event that indicated that Pulse Secure was the point of entry to the network of the suspect.
Ironically, Bad Packets found out that in mid-September, it told Travelex of the weakness of Pulse Secure, telling the organization that it had many compromised servers.
If you get a notice from us, please patch your Pulse Secure VPN servers. https://t.co/VitSQW9u7h
— Bad Packets Report (@bad_packets) 5 January 2020
Travelex, a foreign currency exchange based in the UK, recently shut down its website and other facilities in reaction to a ransomware assault, but no details about how the attackers compromised their infrastructure has been made public. Nevertheless, others suggested that a piece of ransomware was involved in the attack.