Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:20 PM
Connect Directly

Widely Known Flaw in Pulse Secure VPN Being Used in Ransomware Attacks

New Year's Eve attack on currency exchange service Travelex may have involved use of the flaw.

VPN provider Pulse Secure on Monday urged customers to immediately apply a security patch if they have not yet done so. The company issued the patch last April to address a critical, remotely executable flaw in some versions of its products.

The advice stemmed from reports over the last few days of attackers exploiting the flaw — tracked as CVE-2019-11510 — to deliver ransomware on enterprise systems and to delete data backups and disable endpoint security tools.

Among those believed affected in the ongoing campaign is travel insurance and currency exchange provider Travelex, which experienced a massive service disruption this week following a reported ransomware attack on its systems on New Year's Eve. The attack, involving the use of ransomware known as REvil (Sodinokibi), forced the company to take all of its systems offline and to resort to manual operations at branches worldwide.

Travelex did not respond immediately to a Dark Reading request seeking an update on the incident.

UK security researcher Kevin Beaumont, who first reported the attacks on Saturday, described at least two organizations as having been compromised so far by recent attacks targeting the Pulse Secure VPN flaw.

"Pulse Secure publicly provided a patch fix on April 24, 2019 that should be immediately applied to the Pulse Connect Secure [VPN]," says Scott Gordon, chief marketing officer at Pulse Secure. "Do not delay as the CVE-2019-11510 vulnerability is highly critical," he warns.

The flaw in multiple versions of Pulse Connect Secure and Pulse Policy Secure gives remote attackers a way to connect via HTTPS to an enterprise network without needing any valid username or password. Attackers can use the flaw to view logs and files, turn-off multifactor authentication, download arbitrary files, and execute malicious code on enterprise networks,

The security vulnerability is one of several that were discovered last year in VPN products from Pulse Secure, Palo Alto Networks, and Fortinet. Flaws like these are considered especially dangerous because they exist in the products that enterprises rely on for protection against cyber threats. Pulse Secure and numerous others have repeatedly urged organizations with vulnerable systems to apply the patch as soon as possible.

Exploits for the vulnerability have been freely available since at least last August. Both the NSA and the US Department of Homeland Security have issued separate advisories on the VPN flaws and warned about nation-state-backed advanced persistent threat groups exploiting them to take control of vulnerable systems.

Despite the warnings, a substantially large number of Pulse Secure's affected products remain unpatched and vulnerable to attacks. According to threat intelligence firm Bad Packets, at least 3,825 Pulse Secure VPN servers remain unpatched and vulnerable to attack as of January 3, 2020. More than 1,300 of the vulnerable systems are located in the United States. According to Beaumont, Travelex had seven unpatched Pulse Secure servers when it was attacked on New Year's Eve.

"We estimate that nearly 90% of Pulse Secure VPN systems have been patched, and some of those systems are not in active production," Gordon says. Back in August, when Bad Packets conducted an Internet scan, it identified 15,000 servers at risk to the vulnerability, he notes.

Gordon says that Pulse Secure has made its support engineers available on a 24/7 basis, including weekends and holidays, to help customers who need assistance to apply the patch fix. Patch assistance is available even to customers that are not currently under an active maintenance contract, he says.

"Any vulnerability in the remote access of a network is a big deal," says Chris Morales, head of security analytics at Vectra. Any remotely executable VPN vulnerability — especially one that gives an attacker the same level of access as an approved remote user, should have been addressed immediately, he says. "I don't know all the variables at play specific to Travelex. However, it is a shame that vulnerability management and patching are still difficult to do."

Colin Bastable, CEO of Lucy Security, says attacks like the one on Travelex highlight the enormous challenges organizations face in addressing threats to the network. "There are too many moving parts in modern IT infrastructure for the IT Team to manage, especially with global businesses," he says. "Playing defense is always harder than playing offense, because someone, somewhere, or some server, will fail to get the memo and miss or misapply the patch."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "What Tools Will Find Misconfigurations in My AWS S3 Cloud Buckets?"

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/9/2020 | 3:04:02 PM
Re: The CVE number reported in this article is incorrect
Thanks for catching the typo
User Rank: Apprentice
1/7/2020 | 10:34:48 AM
CVE typo
"The advice stemmed from reports over the last few days of attackers exploiting the flaw — tracked as CVE-2019-1150 — to deliver ransomware on enterprise systems and to delete data backups and disable endpoint security tools."

That is not the correct CVE number. CVE-2019-1150 is a Microsoft RCE vuln

User Rank: Apprentice
1/7/2020 | 10:18:18 AM
The CVE number reported in this article is incorrect
The CVE number reported in this article is incorrect.  The number is not CVE-2019-1150.  It's actually CVE-2019-11510.
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...