Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/6/2020
06:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Widely Known Flaw in Pulse Secure VPN Being Used in Ransomware Attacks

New Year's Eve attack on currency exchange service Travelex may have involved use of the flaw.

VPN provider Pulse Secure on Monday urged customers to immediately apply a security patch if they have not yet done so. The company issued the patch last April to address a critical, remotely executable flaw in some versions of its products.

The advice stemmed from reports over the last few days of attackers exploiting the flaw — tracked as CVE-2019-11510 — to deliver ransomware on enterprise systems and to delete data backups and disable endpoint security tools.

Among those believed affected in the ongoing campaign is travel insurance and currency exchange provider Travelex, which experienced a massive service disruption this week following a reported ransomware attack on its systems on New Year's Eve. The attack, involving the use of ransomware known as REvil (Sodinokibi), forced the company to take all of its systems offline and to resort to manual operations at branches worldwide.

Travelex did not respond immediately to a Dark Reading request seeking an update on the incident.

UK security researcher Kevin Beaumont, who first reported the attacks on Saturday, described at least two organizations as having been compromised so far by recent attacks targeting the Pulse Secure VPN flaw.

"Pulse Secure publicly provided a patch fix on April 24, 2019 that should be immediately applied to the Pulse Connect Secure [VPN]," says Scott Gordon, chief marketing officer at Pulse Secure. "Do not delay as the CVE-2019-11510 vulnerability is highly critical," he warns.

The flaw in multiple versions of Pulse Connect Secure and Pulse Policy Secure gives remote attackers a way to connect via HTTPS to an enterprise network without needing any valid username or password. Attackers can use the flaw to view logs and files, turn-off multifactor authentication, download arbitrary files, and execute malicious code on enterprise networks,

The security vulnerability is one of several that were discovered last year in VPN products from Pulse Secure, Palo Alto Networks, and Fortinet. Flaws like these are considered especially dangerous because they exist in the products that enterprises rely on for protection against cyber threats. Pulse Secure and numerous others have repeatedly urged organizations with vulnerable systems to apply the patch as soon as possible.

Exploits for the vulnerability have been freely available since at least last August. Both the NSA and the US Department of Homeland Security have issued separate advisories on the VPN flaws and warned about nation-state-backed advanced persistent threat groups exploiting them to take control of vulnerable systems.

Despite the warnings, a substantially large number of Pulse Secure's affected products remain unpatched and vulnerable to attacks. According to threat intelligence firm Bad Packets, at least 3,825 Pulse Secure VPN servers remain unpatched and vulnerable to attack as of January 3, 2020. More than 1,300 of the vulnerable systems are located in the United States. According to Beaumont, Travelex had seven unpatched Pulse Secure servers when it was attacked on New Year's Eve.

"We estimate that nearly 90% of Pulse Secure VPN systems have been patched, and some of those systems are not in active production," Gordon says. Back in August, when Bad Packets conducted an Internet scan, it identified 15,000 servers at risk to the vulnerability, he notes.

Gordon says that Pulse Secure has made its support engineers available on a 24/7 basis, including weekends and holidays, to help customers who need assistance to apply the patch fix. Patch assistance is available even to customers that are not currently under an active maintenance contract, he says.

"Any vulnerability in the remote access of a network is a big deal," says Chris Morales, head of security analytics at Vectra. Any remotely executable VPN vulnerability — especially one that gives an attacker the same level of access as an approved remote user, should have been addressed immediately, he says. "I don't know all the variables at play specific to Travelex. However, it is a shame that vulnerability management and patching are still difficult to do."

Colin Bastable, CEO of Lucy Security, says attacks like the one on Travelex highlight the enormous challenges organizations face in addressing threats to the network. "There are too many moving parts in modern IT infrastructure for the IT Team to manage, especially with global businesses," he says. "Playing defense is always harder than playing offense, because someone, somewhere, or some server, will fail to get the memo and miss or misapply the patch."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "What Tools Will Find Misconfigurations in My AWS S3 Cloud Buckets?"

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
al3orod
50%
50%
al3orod,
User Rank: Apprentice
1/9/2020 | 3:04:02 PM
Re: The CVE number reported in this article is incorrect
Thanks for catching the typo
NickW201
50%
50%
NickW201,
User Rank: Apprentice
1/7/2020 | 10:34:48 AM
CVE typo
"The advice stemmed from reports over the last few days of attackers exploiting the flaw — tracked as CVE-2019-1150 — to deliver ransomware on enterprise systems and to delete data backups and disable endpoint security tools."

That is not the correct CVE number. CVE-2019-1150 is a Microsoft RCE vuln

 
geoffpr
50%
50%
geoffpr,
User Rank: Apprentice
1/7/2020 | 10:18:18 AM
The CVE number reported in this article is incorrect
The CVE number reported in this article is incorrect.  The number is not CVE-2019-1150.  It's actually CVE-2019-11510.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29070
PUBLISHED: 2020-11-25
osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.
CVE-2020-26212
PUBLISHED: 2020-11-25
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of ever...
CVE-2020-26243
PUBLISHED: 2020-11-25
Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and 0.3.9.7, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded...
CVE-2020-25650
PUBLISHED: 2020-11-25
A flaw was found in the way the spice-vdagentd daemon handled file transfers from the host system to the virtual machine. Any unprivileged local guest user with access to the UNIX domain socket path `/run/spice-vdagentd/spice-vdagent-sock` could use this flaw to perform a memory denial of service fo...
CVE-2020-29071
PUBLISHED: 2020-11-25
An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving se...