The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

CISA Continues to Warn About Pulse Secure Attacks

by Chris Brook on Tuesday January 14, 2020

Contact Us
Free Demo
Chat

CISA, the DHS agency that oversees cybersecurity matters in the US, is urging organizations to patch Pulse Secure VPN servers in the wake of news that they're being used to spread ransomware.

The arm of the Department of Homeland Security that's in charge of overseeing the nation's cybersecurity and communications infrastructure is continuing to sound the alarm around the dangers of unpatched Pulse Secure VPN servers.

In particular, CISA (Cybersecurity and Infrastructure Security Agency) is warning that unpatched servers continue to be an attractive target for attackers looking to push ransomware. In an alert it pushed over the weekend, CISA confirmed recent media reports that claimed that attackers have been using the servers to spread the REvil-Sodinokibi ransomware strain.

CISA is encouraging organizations if they haven't already to patch a remote code execution vulnerability (CVE-2019-11510) that's existed for quite some time in some of Pulse Secure's products. Pulse Secure actually disclosed the vulnerability and pushed patches to resolve it way back in April but it continues to be exploited by cybercriminals.

An attacker could use the vulnerability to compromise a vulnerable VPN server and in turn, gain access to active users and any plain-text credentials. As the vulnerability essentially hands compromised servers over to the attacker, it's possible for them to execute arbitrary commands on each client as they connect to the server.

The vulnerability, which is rated critical, exists in the following products:

  • Pulse Connect Secure 9.0R1 - 9.0R3.3
  • Pulse Connect Secure 8.3R1 - 8.3R7
  • Pulse Connect Secure 8.2R1 - 8.2R12
  • Pulse Connect Secure 8.1R1 - 8.1R15
  • Pulse Policy Secure 9.0R1 - 9.0R3.1
  • Pulse Policy Secure 5.4R1 - 5.4R7
  • Pulse Policy Secure 5.3R1 - 5.3R12
  • Pulse Policy Secure 5.2R1 - 5.2R12
  • Pulse Policy Secure 5.1R1 - 5.1R15

Despite being found 10 months ago, CISA said in its advisory on Saturday that it’s still seeing wide exploitation of the bug and that it expects those attacks to continue.

It can be argued Sodinokibi – also known as REvil - has been one of the hottest ransomware strains of the last six months. It crippled foreign currency exchange Travelex on New Year's Eve, forced the Albany International Airport to pay the ransom after files on its computers were encrypted Christmas Day, and has hit several IT services firms, including Complete Technology Solutions in Colorado and cloud management provider PerCSoft.

One Sodinokibi victim, Artech Information Systems, an IT staffing firm based in New Jersey, had some of its files spilled online earlier this month after it reportedly failed to pay a ransom. It was the first time the group behind the ransomware has released files stolen from companies impacted by malware.

To give an idea of what the attack surface is like for CVE-2019-11510, according to research carried out by Bad Packets, a cyber threat intelligence firm, there were roughly 3,825 Pulse Secure VPN servers that hadn't patched the vulnerabilty on January 4.

Tags: Vulnerabilities

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.