[BreachExchange] Pulse Secure VPN Vulnerability Exploited to Deliver Ransomware

[Destry Winant]

https://www.securityweek.com/pulse-secure-vpn-vulnerability-exploited-deliver-ransomware

A widely known vulnerability affecting an enterprise VPN product from
Pulse Secure has been exploited by cybercriminals to deliver a piece
of ransomware, a researcher has warned.

The flaw in question, tracked as CVE-2019-11510, is one of the many
security holes disclosed last year by a team of researchers in
enterprise VPN products from Fortinet, Palo Alto Networks and Pulse
Secure. The researchers warned at the time of disclosure that the
vulnerabilities could be exploited to infiltrate corporate networks,
obtain sensitive information, and eavesdrop on communications.

The first attempts to exploit the vulnerabilities against Fortinet and
Pulse Secure products were spotted on August 21 and 22 — the attempts
mainly represented scanning activity with the goal of identifying
vulnerable systems.

Despite patches being made available by the impacted vendors, many
organizations still haven’t applied them, allowing threat actors to
leverage the vulnerabilities in their attacks.

Pulse Secure released a patch for CVE-2019-11510 in April 2019, months
before details of the vulnerability were disclosed, and the vendor
claimed in late August that a majority of its customers had installed
the fix.

However, Bad Packets, which monitors the internet for attacks,
reported at the time that there had still been over 14,000 vulnerable
Pulse Secure VPN endpoints hosted by more than 2,500 organizations.
Even now, Bad Packets claims there are still nearly 4,000 vulnerable
servers, including over 1,300 in the United States.

CVE-2019-11510 is an arbitrary file read vulnerability that can be
exploited by unauthenticated attackers to obtain private keys and
passwords. They can use the obtained credentials in combination with a
remote command injection vulnerability in Pulse Secure products
(CVE-2019-11539), allowing them to gain access to private VPN
networks.

Bad Packets has been working with national computer emergency response
teams and other organizations in an effort to get affected
organizations to patch their VPNs. In early October, the NSA and the
United Kingdom’s National Cyber Security Centre (NCSC) issued alerts
to warn organizations that the vulnerabilities affecting Pulse Secure,
Fortinet and Palo Alto Networks VPNs had been exploited in attacks,
including by state-sponsored threat actors.

UK-based cybersecurity researcher Kevin Beaumont reported a few days
ago that he became aware of attacks exploiting the Pulse Secure
vulnerability to deliver a piece of file-encrypting ransomware tracked
as Sodinokibi and REvil.

Sodinokibi, which cybercriminals also delivered last year via an
Oracle WebLogic Server vulnerability shortly after the flaw was
patched, typically asks victims to pay thousands of dollars to recover
their files.

Beaumont said he had become aware of two “notable incidents” where
Pulse Secure was believed to be the cause of the breach.

“In both cases the organisations had unpatched Pulse Secure systems,
and the footprint was the same — access was gained to the network,
domain admin was gained, VNC was used to move around the network (they
actually installed VNC via psexec, as java.exe), and then endpoint
security tools were disabled and Sodinokibi was pushed to all systems
via psexec,” he explained in a blog post.

He also claimed to have seen an incident where Pulse Secure was
confirmed to be the point of entry to the victim’s network.

Interestingly, Bad Packets pointed out that it notified Travelex of
the Pulse Secure vulnerability in mid-September, informing the company
that it had several vulnerable servers.

Travelex, a UK-based foreign currency exchange, recently shut down its
website and other services in response to a malware attack, but no
information has been made public regarding how the attackers breached
its systems. However, some claimed that the attack involved a piece of
ransomware.

UPDATE. Pulse Secure has provided SecurityWeek the following statement:

Pulse Secure publicly provided a patch fix on April 24, 2019 that
should be immediately applied to the Pulse Connect Secure (VPN). The
CVE2019-1150 vulnerability is highly critical. Customers that have
already applied this patch would not be vulnerable to this malware
exploit. As we have communicated earlier, we urge all customers to
apply the patch fix.


Beyond issuing the original public Security Advisory – SA44101, but
commencing that day in April, we informed our customers and service
providers of the availability and need for the patch via email, in
product alerts, on our community site, within our partner portal, and
our customer support web site. Since then, our customer success
managers have also been directly contacting and working with
customers. In addition, Pulse Secure support engineers have been
available 24x7, including weekends and holidays, to help customers who
need assistance to apply the patch fix. We also offered assistance to
customers to patch for these vulnerabilities even if they were not
under an active maintenance contract. Customers that need assistance
should contact Pulse Secure support using the contact information on
the following URL -
https://support.pulsesecure.net/support/support-contacts/.


We have been updating the advisory as necessary. As of early January,
the majority of our customers have successfully applied the patch fix
and are no longer vulnerable. But unfortunately, there are
organizations that have yet to apply this patch. Of the original VPN
servers that Bad Packets reported as at risk back in August, we
estimate that less than 10% of all customers remain vulnerable. We
continue to request customers to apply the April patch fix to their
VPN systems – this server-side patch does not require updating the
client.


Threat Actors will take advantage of the vulnerability that was
reported on Pulse Secure, Fortinet and Palo Alto VPN products – and in
this case, exploit unpatched VPN servers to propagate malware, REvil
(Sodinokibi), by distributing and activating the Ransomware through
interactive prompts of the VPN interface to the users attempting to
access resources through unpatched, vulnerable Pulse VPN servers.”