The US Cybersecurity and Infrastructure Security Agency (CISA) today alerted organizations to patch their Pulse Secure VPN servers as a defense against ongoing attacks trying to exploit a known remote code execution (RCE) vulnerability.
This warning follows another alert issued by CISA in October 2019, and others coming from the National Security Agency (NSA), the Canadian Centre for Cyber Security, and UK’s National Cyber Security Center (NCSC).
Pulse Secure reported the vulnerability tracked as CVE-2019-11510 and disclosed by Orange Tsai and Meh Chang from the DEVCORE research team, and by Jake Valletta from FireEye in an April 2019 out-of-cycle advisory.
The company also issued software updates to patch all affected Pulse Connect Secure and Pulse Policy Secure versions.
“CISA expects to see continued attacks exploiting unpatched Pulse Secure VPN environments and strongly urges users and administrators to upgrade to the corresponding fixes,” today’s DHS alert warns.
Unpatched Pulse Secure VPN servers remain an attractive target for malicious actors. @CISAgov released an Alert on continued exploitation of CVE-2019-11510 in Pulse Secure. Update ASAP! https://t.co/n7mx9juifv #Cyber #Cybersecurity #InfoSec
— US-CERT (@USCERT_gov) January 10, 2020
If left unpatched, CVE-2019-11510 could allow remote unauthenticated attackers to compromise vulnerable VPN servers and “gain access to all active users and their plain-text credentials” and execute arbitrary commands.
On unpatched systems, the flaw “allows people without valid usernames and passwords to remotely connect to the corporate network the device is supposed to protect, turn off multi-factor authentication controls, remotely view logs and cached passwords in plain text (including Active Directory account passwords),” security researcher Kevin Beaumont explains.
According to an NSA advisory from October 2019, “Exploit code is freely available online via the Metasploit framework, as well as GitHub. Malicious cyber actors are actively using this exploit code.”
“Actors will take advantage of the vulnerability that was reported on Pulse Secure, Fortinet and Palo Alto VPN products – and in this case, exploit unpatched VPN servers to propagate malware, REvil (Sodinokibi), by distributing and activating the Ransomware through interactive prompts of the VPN interface to the users attempting to access resources through unpatched, vulnerable Pulse VPN servers,” Pulse Secure Chief Marketing Officer Scott Gordon told Bleeping Computer.
Week 19 CVE-2019-11510 Scan Results
• Vulnerable Pulse Secure VPN servers detected: 3,825
Our latest vulnerability scan results are freely available for authorized CERT, CSIRT, and ISAC teams.
— Bad Packets Report (@bad_packets) January 4, 2020
While on August 25, 2019, cyber threat intelligence outfit Bad Packets was able to discover 14,528 unpatched Pulse Secure servers, this month a subsequent scan yielded 3,825 results showing that a vast majority of orgs patched their VPN gateways.
Since August 2019, Bad Packets Chief Research Officer Troy Mursch reached out to organizations that haven’t yet patched their assets, alerting them of the serious damage attackers could inflict on their systems if they leave their servers unpatched.
While not yet confirmed, a high-profile case of an organization directly affected by not patching their Pulse Secure servers could be the international foreign currency exchange Travelex which had its systems infected with Sodinokibi ransomware after an attack that took place on December 31.
As it happens, Travelex was one of the organizations that Mursch warned of the issue in September 2019. Unfortunately, Travelex did reply to his email.
Beaumont also found several Internet-exposed Windows servers with RDP enabled and the Network Level Authentication feature toggled off on Travelex’s AWS platform. This could allow potential attackers to connect before authenticating.