Some new vulnerabilities relating to VPN applications are being targeted by attackers to install the REvil (Sodinokibi) Ransomware. I have had the unfortunate opportunity to witness firsthand how damaging Ransomware can be when it happened to a parent of one of my clients. It is very debilitating and an important reason to increase specific security efforts in your network. I am happy to take your call and discuss Network Security in your environment and what can be done to improve it.
Original release date: January 10, 2020
Summary
Unpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors. Affected organizations that have not applied the software patch to fix a remote code execution (RCE) vulnerability, known as CVE-2019-11510, can become compromised in an attack. [1]
Although Pulse Secure [2] disclosed the vulnerability and provided software patches for the various affected products in April 2019, the Cybersecurity and Infrastructure Security Agency (CISA) continues to observe wide exploitation of CVE-2019-11510. [3] [4] [5]
CISA expects to see continued attacks exploiting unpatched Pulse Secure VPN environments and strongly urges users and administrators to upgrade to the corresponding fixes. [6]
Timelines of Specific Events
- April 24, 2019 – Pulse Secure releases initial advisory and software updates addressing multiple vulnerabilities.
- May 28, 2019 – Large commercial vendors get reports of vulnerable VPN through HackerOne.
- July 31, 2019 – Full RCE use of exploit demonstrated using the admin session hash to get complete shell.
- August 8, 2019 – Meh Chang and Orange Tsai demonstrate the VPN issues across multiple vendors (Pulse Secure) with detailed attack on active VPN exploitation.
- August 24, 2019 – Bad Packets identifies over 14,500 vulnerable VPN servers globally still unpatched and in need of an upgrade.
- October 7, 2019 – The National Security Agency (NSA) produces a Cybersecurity Advisory on Pulse Secure and other VPN products being targeted actively by advanced persistent threat actors.
- October 16, 2019 – The CERT Coordination Center (CERT/CC) releases Vulnerability Note VU#927237: Pulse Secure VPN contains multiple vulnerabilities.
- January 2020 – Media reports cybercriminals now targeting unpatched Pulse Secure VPN servers to install REvil (Sodinokibi) ransomware.
More information can be found here: https://www.us-cert.gov/ncas/alerts/aa20-010a