The arm of the Department of Homeland Security that's in charge of overseeing the nation's cybersecurity and communications infrastructure is continuing to sound the alarm around the dangers of unpatched Pulse Secure VPN servers.

In particular, CISA (Cybersecurity and Infrastructure Security Agency) is warning that unpatched servers continue to be an attractive target for attackers looking to push ransomware. In an alert it pushed over the weekend, CISA confirmed recent media reports that claimed that attackers have been using the servers to spread the REvil-Sodinokibi ransomware strain.

Unpatched Pulse Secure VPN servers remain an attractive target for malicious actors. @CISAgov released an Alert on continued exploitation of CVE-2019-11510 in Pulse Secure. Update ASAP! https://t.co/n7mx9juifv #Cyber #Cybersecurity #InfoSec

— US-CERT (@USCERT_gov) January 10, 2020

CISA is encouraging organizations if they haven't already to patch a remote code execution vulnerability (CVE-2019-11510) that's existed for quite some time in some of Pulse Secure's products. Pulse Secure actually disclosed the vulnerability and pushed patches to resolve it way back in April but it continues to be exploited by cybercriminals.

An attacker could use the vulnerability to compromise a vulnerable VPN server and in turn, gain access to active users and any plain-text credentials. As the vulnerability essentially hands compromised servers over to the attacker, it's possible for them to execute arbitrary commands on each client as they connect to the server.

The vulnerability, which is rated critical, exists in the following products:

• Pulse Connect Secure 9.0R1 - 9.0R3.3
• Pulse Connect Secure 8.3R1 - 8.3R7
• Pulse Connect Secure 8.2R1 - 8.2R12
• Pulse Connect Secure 8.1R1 - 8.1R15
• Pulse Policy Secure 9.0R1 - 9.0R3.1
• Pulse Policy Secure 5.4R1 - 5.4R7
• Pulse Policy Secure 5.3R1 - 5.3R12
• Pulse Policy Secure 5.2R1 - 5.2R12
• Pulse Policy Secure 5.1R1 - 5.1R15

Despite being found 10 months ago, CISA said in its advisory on Saturday that it’s still seeing wide exploitation of the bug and that it expects those attacks to continue.

It can be argued Sodinokibi – also known as REvil - has been one of the hottest ransomware strains of the last six months. It crippled foreign currency exchange Travelex on New Year's Eve, forced the Albany International Airport to pay the ransom after files on its computers were encrypted Christmas Day, and has hit several IT services firms, including Complete Technology Solutions in Colorado and cloud management provider PerCSoft.

One Sodinokibi victim, Artech Information Systems, an IT staffing firm based in New Jersey, had some of its files spilled online earlier this month after it reportedly failed to pay a ransom. It was the first time the group behind the ransomware has released files stolen from companies impacted by malware.

To give an idea of what the attack surface is like for CVE-2019-11510, according to research carried out by Bad Packets, a cyber threat intelligence firm, there were roughly 3,825 Pulse Secure VPN servers that hadn't patched the vulnerabilty on January 4.