Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/6/2020
06:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Widely Known Flaw in Pulse Secure VPN Being Used in Ransomware Attacks

New Year's Eve attack on currency exchange service Travelex may have involved use of the flaw.

VPN provider Pulse Secure on Monday urged customers to immediately apply a security patch if they have not yet done so. The company issued the patch last April to address a critical, remotely executable flaw in some versions of its products.

The advice stemmed from reports over the last few days of attackers exploiting the flaw — tracked as CVE-2019-11510 — to deliver ransomware on enterprise systems and to delete data backups and disable endpoint security tools.

Among those believed affected in the ongoing campaign is travel insurance and currency exchange provider Travelex, which experienced a massive service disruption this week following a reported ransomware attack on its systems on New Year's Eve. The attack, involving the use of ransomware known as REvil (Sodinokibi), forced the company to take all of its systems offline and to resort to manual operations at branches worldwide.

Travelex did not respond immediately to a Dark Reading request seeking an update on the incident.

UK security researcher Kevin Beaumont, who first reported the attacks on Saturday, described at least two organizations as having been compromised so far by recent attacks targeting the Pulse Secure VPN flaw.

"Pulse Secure publicly provided a patch fix on April 24, 2019 that should be immediately applied to the Pulse Connect Secure [VPN]," says Scott Gordon, chief marketing officer at Pulse Secure. "Do not delay as the CVE-2019-11510 vulnerability is highly critical," he warns.

The flaw in multiple versions of Pulse Connect Secure and Pulse Policy Secure gives remote attackers a way to connect via HTTPS to an enterprise network without needing any valid username or password. Attackers can use the flaw to view logs and files, turn-off multifactor authentication, download arbitrary files, and execute malicious code on enterprise networks,

The security vulnerability is one of several that were discovered last year in VPN products from Pulse Secure, Palo Alto Networks, and Fortinet. Flaws like these are considered especially dangerous because they exist in the products that enterprises rely on for protection against cyber threats. Pulse Secure and numerous others have repeatedly urged organizations with vulnerable systems to apply the patch as soon as possible.

Exploits for the vulnerability have been freely available since at least last August. Both the NSA and the US Department of Homeland Security have issued separate advisories on the VPN flaws and warned about nation-state-backed advanced persistent threat groups exploiting them to take control of vulnerable systems.

Despite the warnings, a substantially large number of Pulse Secure's affected products remain unpatched and vulnerable to attacks. According to threat intelligence firm Bad Packets, at least 3,825 Pulse Secure VPN servers remain unpatched and vulnerable to attack as of January 3, 2020. More than 1,300 of the vulnerable systems are located in the United States. According to Beaumont, Travelex had seven unpatched Pulse Secure servers when it was attacked on New Year's Eve.

"We estimate that nearly 90% of Pulse Secure VPN systems have been patched, and some of those systems are not in active production," Gordon says. Back in August, when Bad Packets conducted an Internet scan, it identified 15,000 servers at risk to the vulnerability, he notes.

Gordon says that Pulse Secure has made its support engineers available on a 24/7 basis, including weekends and holidays, to help customers who need assistance to apply the patch fix. Patch assistance is available even to customers that are not currently under an active maintenance contract, he says.

"Any vulnerability in the remote access of a network is a big deal," says Chris Morales, head of security analytics at Vectra. Any remotely executable VPN vulnerability — especially one that gives an attacker the same level of access as an approved remote user, should have been addressed immediately, he says. "I don't know all the variables at play specific to Travelex. However, it is a shame that vulnerability management and patching are still difficult to do."

Colin Bastable, CEO of Lucy Security, says attacks like the one on Travelex highlight the enormous challenges organizations face in addressing threats to the network. "There are too many moving parts in modern IT infrastructure for the IT Team to manage, especially with global businesses," he says. "Playing defense is always harder than playing offense, because someone, somewhere, or some server, will fail to get the memo and miss or misapply the patch."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "What Tools Will Find Misconfigurations in My AWS S3 Cloud Buckets?"

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
al3orod
50%
50%
al3orod,
User Rank: Apprentice
1/9/2020 | 3:04:02 PM
Re: The CVE number reported in this article is incorrect
Thanks for catching the typo
NickW201
50%
50%
NickW201,
User Rank: Apprentice
1/7/2020 | 10:34:48 AM
CVE typo
"The advice stemmed from reports over the last few days of attackers exploiting the flaw — tracked as CVE-2019-1150 — to deliver ransomware on enterprise systems and to delete data backups and disable endpoint security tools."

That is not the correct CVE number. CVE-2019-1150 is a Microsoft RCE vuln

 
geoffpr
50%
50%
geoffpr,
User Rank: Apprentice
1/7/2020 | 10:18:18 AM
The CVE number reported in this article is incorrect
The CVE number reported in this article is incorrect.  The number is not CVE-2019-1150.  It's actually CVE-2019-11510.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-3931
PUBLISHED: 2020-07-08
Buffer overflow exists in Geovision Door Access Control device family, an unauthenticated remote attacker can execute arbitrary command.
CVE-2020-15600
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
CVE-2020-15599
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
CVE-2020-8916
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
CVE-2020-12821
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.