Hackers are taking advantage of unpatched enterprise VPN setups ‒ specifically, a long-known bug in Pulse Secure's code ‒ to spread ransomware and other nasties.
British infosec specialist Kevin Beaumont says a severe hole in Pulse Secure's Zero Trust Remote Access VPN software is being used by miscreants as the entry point for inserting malware attacks.
The vulnerability in question, CVE-2019-11510, was among the bugs patched back in April by an out-of-band update. The flaw is present in Pulse Connect Secure, a VPN program pitched at enterprises for remote workers and bring-your-own-device workers. The bug can basically be abused to extract plain-text passwords, and other secrets, from networks without any authentication.
"That vulnerability is incredibly bad — it allows people without valid usernames and passwords to remotely connect to the corporate network the device is supposed to protect, turn off multi-factor authentication controls, remotely view logs and cached passwords in plain text (including Active Directory account passwords)," Beaumont explained.
Now, months after the fixes were posted, Beaumont has investigated multiple ransomware infections and has confirmed that the Pulse Secure vulnerabilities were the entry point into the network for the hackers spreading the file-scrambling Sodinokibi nasty.
"In both cases the organizations had unpatched Pulse Secure systems, and the footprint was the same," Beaumont explained, "access was gained to the network, domain admin was gained, VNC was used to move around the network (they actually installed VNC via psexec, as java.exe), and then endpoint security tools were disabled and Sodinokibi was pushed to all systems via psexec."
The Register pinged Pulse Secure for its side in all of this, and the company issued the following statement.
"Pulse Secure publicly provided a patch fix on April 24, 2019 that should be immediately applied to the Pulse Connect Secure (VPN). The CVE2019-1150 vulnerability is highly critical. Customers that have already applied this patch would not be vulnerable to this malware exploit. As we have communicated earlier, we urge all customers to apply the patch fix," the biz said.
"Beyond issuing the original public Security Advisory – SA44101, but commencing that day in April, we informed our customers and service providers of the availability and need for the patch via email, in product alerts, on our community site, within our partner portal, and our customer support web site.
Tricky VPN-busting bug lurks in iOS, Android, Linux distros, macOS, FreeBSD, OpenBSD, say university eggheadsREAD MORE
"Since then, our customer success managers have also been directly contacting and working with customers. In addition, Pulse Secure support engineers have been available 24x7, including weekends and holidays, to help customers who need assistance to apply the patch fix. We also offered assistance to customers to patch for these vulnerabilities even if they were not under an active maintenance contract."
Part of the problem may be that organizations are unaware they are running Pulse Secure VPNs that are vulnerable. Earlier this week, for an update on his website, Bad Packets Report's Troy Mursch ran a vulnerability scan finding that 3,826 Pulse Secure VPN servers worldwide remain vulnerable.
As some admins have noted, keeping track of such boxes can be difficult within a large enterprise, let alone getting them patched in a timely manner.
In fact, Beaumont says that Travelex, the currency exchange service that has been knocked offline by a malware infection, had seven such unsecured Pulse Secure servers and was hit by the same Sodikinibi ransomware group involved in the other attacks he had observed. Mursch said he tried to warn Travelex of those exposed machines back in September. ®