Getty Images/iStockphoto

Feds Alert to Ongoing Cyberattacks on Unpatched Pulse VPN Servers

In April, Pulse Secure released patches for a flaw found in its VPN servers, which were being exploited to distribute malware. But some clients failed to secure the vulnerability and are at risk of cyberattacks.

Pulse Secure VPN servers are being exploited with cyberattacks looking to exploit known vulnerabilities in its remote code execution (RCE), according to an alert from the Department of Homeland Security Cybersecurity and Infrastructure Security.

It’s the second warning about targeted cyberattacks on vulnerable VPNs released by CISA in recent months and first reported in July. The vulnerabilities reside in several SSL VPN platforms and could allow an attacker to retrieve arbitrary files, including the plain-text authentication credentials for all users.

The stolen credentials could be leveraged to connect to the VPN, giving a hacker the ability to change configuration settings or connect to other devices on the network. In a worst-case scenario, an attacker with an authorized connection could obtain necessary privileges to run secondary exploits designed to access the root shell.

Pulse Secure provided a public patch for the vulnerability on April 24, 2019 and urged its customers to immediately apply it, which is listed by CISA as highly critical. Those customers that have applied the patch are no longer vulnerable to the attacks.

However, about 10 percent of Pulse Secure customers have not yet applied the security measure, the company told HealthITSecurity.com in an email.

“We’ve been updating the advisory as necessary. As of early January, the majority of our customers have successfully applied the patch fix and are no longer vulnerable. But unfortunately, there are organizations that have yet to apply this patch,” Scott Gordon, Pulse Secure chief marketing officer, explained.

“We continue to request customers to apply the April patch fix to their VPN systems – this server-side patch does not require updating the client,” he continued.

Gordon warned that threat actors will continue to take advantage of the vulnerability, which is also found on Palo Alto and Fortinet VPN products. Their goal is to propagate, distribute, and activate the malware variant known as REvil (Sodinokibi) through “interactive prompts of the VPN interface to the users attempting to access resources through unpatched, vulnerable Pulse VPN servers.”

The DHS CISA shares the same warning: researchers expect to see continued exploits of the vulnerability. Organizations are being urged to upgrade their VPN servers with the corresponding fixes, as there are “no viable workarounds except for applying the patches… and performing required system updates.”

Sodinokibi typically targets IT managed service providers and their clients. Its hackers were behind the massive ransomware attack on CTS, an IT vendor for hundreds of dental providers. Sodinokibi hackers have recently begun warning that they will release the data of its victims if they do not pay up during an attack, first reported by BleepingComputer.com.

Dig Deeper on Cybersecurity strategies