A widely known vulnerability affecting an enterprise VPN product from Pulse Secure has been exploited by cybercriminals to deliver a piece of ransomware, a researcher has warned.
The flaw in question, tracked as CVE-2019-11510, is one of the many security holes disclosed last year by a team of researchers in enterprise VPN products from Fortinet, Palo Alto Networks and Pulse Secure. The researchers warned at the time of disclosure that the vulnerabilities could be exploited to infiltrate corporate networks, obtain sensitive information, and eavesdrop on communications.
The first attempts to exploit the vulnerabilities against Fortinet and Pulse Secure products were spotted on August 21 and 22 — the attempts mainly represented scanning activity with the goal of identifying vulnerable systems.
Despite patches being made available by the impacted vendors, many organizations still haven’t applied them, allowing threat actors to leverage the vulnerabilities in their attacks.
Pulse Secure released a patch for CVE-2019-11510 in April 2019, months before details of the vulnerability were disclosed, and the vendor claimed in late August that a majority of its customers had installed the fix.
However, Bad Packets, which monitors the internet for attacks, reported at the time that there had still been over 14,000 vulnerable Pulse Secure VPN endpoints hosted by more than 2,500 organizations. Even now, Bad Packets claims there are still nearly 4,000 vulnerable servers, including over 1,300 in the United States.
CVE-2019-11510 is an arbitrary file read vulnerability that can be exploited by unauthenticated attackers to obtain private keys and passwords. They can use the obtained credentials in combination with a remote command injection vulnerability in Pulse Secure products (CVE-2019-11539), allowing them to gain access to private VPN networks.
Bad Packets has been working with national computer emergency response teams and other organizations in an effort to get affected organizations to patch their VPNs. In early October, the NSA and the United Kingdom’s National Cyber Security Centre (NCSC) issued alerts to warn organizations that the vulnerabilities affecting Pulse Secure, Fortinet and Palo Alto Networks VPNs had been exploited in attacks, including by state-sponsored threat actors.
UK-based cybersecurity researcher Kevin Beaumont reported a few days ago that he became aware of attacks exploiting the Pulse Secure vulnerability to deliver a piece of file-encrypting ransomware tracked as Sodinokibi and REvil.
Sodinokibi, which cybercriminals also delivered last year via an Oracle WebLogic Server vulnerability shortly after the flaw was patched, typically asks victims to pay thousands of dollars to recover their files.
Beaumont said he had become aware of two “notable incidents” where Pulse Secure was believed to be the cause of the breach.
“In both cases the organisations had unpatched Pulse Secure systems, and the footprint was the same — access was gained to the network, domain admin was gained, VNC was used to move around the network (they actually installed VNC via psexec, as java.exe), and then endpoint security tools were disabled and Sodinokibi was pushed to all systems via psexec,” he explained in a blog post.
He also claimed to have seen an incident where Pulse Secure was confirmed to be the point of entry to the victim’s network.
Interestingly, Bad Packets pointed out that it notified Travelex of the Pulse Secure vulnerability in mid-September, informing the company that it had several vulnerable servers.
Travelex, a UK-based foreign currency exchange, recently shut down its website and other services in response to a malware attack, but no information has been made public regarding how the attackers breached its systems. However, some claimed that the attack involved a piece of ransomware.
UPDATE. Pulse Secure has provided SecurityWeek the following statement:
Pulse Secure publicly provided a patch fix on April 24, 2019 that should be immediately applied to the Pulse Connect Secure (VPN). The CVE2019-1150 vulnerability is highly critical. Customers that have already applied this patch would not be vulnerable to this malware exploit. As we have communicated earlier, we urge all customers to apply the patch fix.
Beyond issuing the original public Security Advisory – SA44101, but commencing that day in April, we informed our customers and service providers of the availability and need for the patch via email, in product alerts, on our community site, within our partner portal, and our customer support web site. Since then, our customer success managers have also been directly contacting and working with customers. In addition, Pulse Secure support engineers have been available 24×7, including weekends and holidays, to help customers who need assistance to apply the patch fix. We also offered assistance to customers to patch for these vulnerabilities even if they were not under an active maintenance contract. Customers that need assistance should contact Pulse Secure support using the contact information on the following URL – https://support.pulsesecure.net/support/support-contacts/.
We have been updating the advisory as necessary. As of early January, the majority of our customers have successfully applied the patch fix and are no longer vulnerable. But unfortunately, there are organizations that have yet to apply this patch. Of the original VPN servers that Bad Packets reported as at risk back in August, we estimate that less than 10% of all customers remain vulnerable. We continue to request customers to apply the April patch fix to their VPN systems – this server-side patch does not require updating the client.
Threat Actors will take advantage of the vulnerability that was reported on Pulse Secure, Fortinet and Palo Alto VPN products – and in this case, exploit unpatched VPN servers to propagate malware, REvil (Sodinokibi), by distributing and activating the Ransomware through interactive prompts of the VPN interface to the users attempting to access resources through unpatched, vulnerable Pulse VPN servers.”