CISA Warns Patched Pulse Secure VPNs Could Still Expose Organizations to Hackers #Security - The Entrepreneurial Way with A.I.

Breaking

Friday, April 17, 2020

CISA Warns Patched Pulse Secure VPNs Could Still Expose Organizations to Hackers #Security

The United States Cybersecurity and Infrastructure Security Agency (CISA) yesterday issued a

fresh advisory

alerting organizations to change all their Active Directory credentials as a defense against cyberattacks trying to leverage a known remote code execution (RCE) vulnerability in Pulse Secure VPN servers—even if they have already patched it.

The warning comes three months after another

CISA alert

urging users and administrators to

patch Pulse Secure VPN

environments to thwart attacks exploiting the vulnerability.

"Threat actors who successfully exploited CVE-2019-11510 and stole a victim organization's credentials will still be able to access — and move laterally through — that organization's network after the organization has patched this vulnerability if the organization did not change those stolen credentials," CISA said.

CISA has also

released a tool to help

network administrators look for any indicators of compromise associated with the flaw.

A Remote Code Execution Flaw

Tracked as

CVE-2019-11510

, the pre-authentication arbitrary file read vulnerability could allow remote unauthenticated attackers to compromise vulnerable VPN servers and gain access to all active users and their plain-text credentials, and execute arbitrary commands.

The flaw stems from the fact that

directory traversal

is hard-coded to be allowed if a path contains "dana/html5/acc," thus allowing an attacker to send specially crafted URLs to read sensitive files, such as "/etc/passwd" that contains information about each user on the system.

To address this issue, Pulse Secure released an

out-of-band patch

on April 24, 2019.

pulse secure vpn vulnerability

While on August 24, 2019, security intelligence firm Bad Packets was able to discover

14,528 unpatched

Pulse Secure servers, a subsequent scan as of last month yielded

2,099 vulnerable endpoints

, indicating that a vast majority of organizations have patched their VPN gateways.

Unpatched VPN Servers Become Lucrative Target

The fact that there are still over thousands of unpatched Pulse Secure VPN servers has made them a lucrative target for bad actors to distribute malware.

A report from ClearSky found Iranian state-sponsored

hackers using CVE-2019-11510

, among others, to penetrate and steal information from target IT and telecommunication companies across the world.

According to an

NSA advisory

from October 2019, the "exploit code is freely available online via the Metasploit framework, as well as GitHub. Malicious cyber actors are actively using this exploit code."

In a similar alert issued last year, the UK's National Cyber Security Centre (

NCSC

) warned that advanced threat groups are exploiting the vulnerability to target government, military, academic, business, and healthcare organizations.

More recently,

Travelex

, the foreign currency exchange and travel insurance firm, became a victim after cybercriminals planted Sodinokibi (REvil)

ransomware

on the company's networks via the Pulse Secure vulnerability. Although the ransomware operators demanded a ransom of $6 million (£4.6 million), a

Wall Street Journal

report last week said it paid $2.3 million in the form of 285 Bitcoin to resolve its problem.

In the face of ongoing attacks, it's recommended that organizations upgrade their Pulse Secure VPN, reset their credentials, and scan for unauthenticated log requests and exploit attempts.

CISA has also suggested removing any unapproved remote access programs and inspecting scheduled tasks for scripts or executables that may allow an attacker to connect to an environment.

For more steps to mitigate the flaw, head to

NSA's advisory here

.



via https://www.aiupnow.com by noreply@blogger.com (Ravie Lakshmanan), Khareem Sudlow