VPN provider Pulse Secure on Monday urged customers to immediately apply a security patch if they have not yet done so. The company issued the patch last April to address a critical, remotely executable flaw in some versions of its products.
The advice stemmed from reports over the last few days of attackers exploiting the flaw — tracked as CVE-2019-11510 — to deliver ransomware on enterprise systems and to delete data backups and disable endpoint security tools.
Among those believed affected in the ongoing campaign is travel insurance and currency exchange provider Travelex, which experienced a massive service disruption this week following a reported ransomware attack on its systems on New Year's Eve. The attack, involving the use of ransomware known as REvil (Sodinokibi), forced the company to take all of its systems offline and to resort to manual operations at branches worldwide.
Travelex did not respond immediately to a Dark Reading request seeking an update on the incident.
UK security researcher Kevin Beaumont, who first reported the attacks on Saturday, described at least two organizations as having been compromised so far by recent attacks targeting the Pulse Secure VPN flaw.
"Pulse Secure publicly provided a patch fix on April 24, 2019 that should be immediately applied to the Pulse Connect Secure [VPN]," says Scott Gordon, chief marketing officer at Pulse Secure. "Do not delay as the CVE-2019-11510 vulnerability is highly critical," he warns.
The flaw in multiple versions of Pulse Connect Secure and Pulse Policy Secure gives remote attackers a way to connect via HTTPS to an enterprise network without needing any valid username or password. Attackers can use the flaw to view logs and files, turn-off multifactor authentication, download arbitrary files, and execute malicious code on enterprise networks,
The security vulnerability is one of several that were discovered last year in VPN products from Pulse Secure, Palo Alto Networks, and Fortinet. Flaws like these are considered especially dangerous because they exist in the products that enterprises rely on for protection against cyber threats. Pulse Secure and numerous others have repeatedly urged organizations with vulnerable systems to apply the patch as soon as possible.
Exploits for the vulnerability have been freely available since at least last August. Both the NSA and the US Department of Homeland Security have issued separate advisories on the VPN flaws and warned about nation-state-backed advanced persistent threat groups exploiting them to take control of vulnerable systems.
Despite the warnings, a substantially large number of Pulse Secure's affected products remain unpatched and vulnerable to attacks. According to threat intelligence firm Bad Packets, at least 3,825 Pulse Secure VPN servers remain unpatched and vulnerable to attack as of January 3, 2020. More than 1,300 of the vulnerable systems are located in the United States. According to Beaumont, Travelex had seven unpatched Pulse Secure servers when it was attacked on New Year's Eve.
"We estimate that nearly 90% of Pulse Secure VPN systems have been patched, and some of those systems are not in active production," Gordon says. Back in August, when Bad Packets conducted an Internet scan, it identified 15,000 servers at risk to the vulnerability, he notes.
Gordon says that Pulse Secure has made its support engineers available on a 24/7 basis, including weekends and holidays, to help customers who need assistance to apply the patch fix. Patch assistance is available even to customers that are not currently under an active maintenance contract, he says.
"Any vulnerability in the remote access of a network is a big deal," says Chris Morales, head of security analytics at Vectra. Any remotely executable VPN vulnerability — especially one that gives an attacker the same level of access as an approved remote user, should have been addressed immediately, he says. "I don't know all the variables at play specific to Travelex. However, it is a shame that vulnerability management and patching are still difficult to do."
Colin Bastable, CEO of Lucy Security, says attacks like the one on Travelex highlight the enormous challenges organizations face in addressing threats to the network. "There are too many moving parts in modern IT infrastructure for the IT Team to manage, especially with global businesses," he says. "Playing defense is always harder than playing offense, because someone, somewhere, or some server, will fail to get the memo and miss or misapply the patch."
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "What Tools Will Find Misconfigurations in My AWS S3 Cloud Buckets?"