The DHS urged organizations to update their passwords and make sure that a critical Pulse Secure VPN flaw has been patched, as attackers continue to exploit the flaw.
The Department of Homeland Security (DHS) is urging companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, after several cyberattacks targeted companies who had previously patched a related flaw in the VPN.
DHS warns that the Pulse Secure VPN patches may have come too late. Government officials say before the patches were deployed, bad actors were able to compromise Active Directory accounts. So even those who have patched for the bug could still be compromised and are vulnerable to attack.
At the heart of the advisory is a known, critical Pulse Secure arbitrary file reading flaw that opens systems to exploitation from remote, unauthenticated attackers to gain access to a victim’s networks. Tracked as CVE-2019-11510, the bug was patched by Pulse Secure in April 2019, and many companies impacted by the flaw issued the fix to address the vulnerability since then.
But in many cases the damage is already done. Attackers have already exploited the flaw to snatch up victims’ credentials – and now are using those credentials to move laterally through organizations, DHS’ Cybersecurity and Infrastructure Security Agency (CISA) warned in the Thursday alert.
“CISA strongly urges organizations that have not yet done so to upgrade their Pulse Secure VPN to the corresponding patches for CVE-2019-11510,” according to CISA’s alert. “If—after applying the detection measures in this alert—organizations detect evidence of CVE-2019-11510 exploitation, CISA recommends changing passwords for all Active Directory accounts, including administrators and services accounts.”
The flaw exists in Pulse Connect Secure, Pulse Secure’s SSL VPN (virtual private network) platform used by various enterprises and organizations. Exploitation of the vulnerability is simple, which is why it received a 10 out of 10 CVSS ranking. Attackers can exploit the flaw to get initial access on the VPN server, where they’re able to access credentials. A proof of concept (PoC) was made public in August 2019. During that time, Troy Mursch with Bad Packets identified over 14,500 Pulse Secure VPN endpoints that were vulnerable to this flaw. In a more recent scan, on Jan. 3, 2020, Mursch said 3,825 endpoints remain vulnerable.
One such vulnerable organization was Travelex, which took several months to patch critical vulnerabilities in its seven Pulse Secure VPN servers, according to Bad Packets. Some have speculated the lag time in patching these VPNs led to the eventual massive ransomware attack against Travelex.
Various other cybercriminals have targeted the Pulse Secure VPN flaw to compromise organizations, such as Iranian state sponsored hackers who leveraged the flaw to conduct cyber-espionage campaigns against dozens of companies in Israel.
In addition to urging organizations update credentials on accounts in Active Directory, which is the database keeps track of all organizations’ user accounts and passwords, CISA has also released a new tool to help network admins sniff out any indicators of compromise on their systems that are related to the flaw.
“CISA encourages network administrators to remain aware of the ramifications of exploitation of CVE-2019-11510 and to apply the detection measures and mitigations provided in this report to secure networks against these attacks,” the advisory said.