The United States Cybersecurity and Infrastructure Security Agency (CISA) yesterday issued a
fresh advisoryalerting organizations to change all their Active Directory credentials as a defense against cyberattacks trying to leverage a known remote code execution (RCE) vulnerability in Pulse Secure VPN servers—even if they have already patched it.
The warning comes three months after another
CISA alerturging users and administrators to
patch Pulse Secure VPNenvironments to thwart attacks exploiting the vulnerability.
"Threat actors who successfully exploited CVE-2019-11510 and stole a victim organization's credentials will still be able to access — and move laterally through — that organization's network after the organization has patched this vulnerability if the organization did not change those stolen credentials," CISA said.
CISA has also
released a tool to helpnetwork administrators look for any indicators of compromise associated with the flaw.
A Remote Code Execution Flaw
Tracked as
CVE-2019-11510, the pre-authentication arbitrary file read vulnerability could allow remote unauthenticated attackers to compromise vulnerable VPN servers and gain access to all active users and their plain-text credentials, and execute arbitrary commands.
The flaw stems from the fact that
directory traversalis hard-coded to be allowed if a path contains "dana/html5/acc," thus allowing an attacker to send specially crafted URLs to read sensitive files, such as "/etc/passwd" that contains information about each user on the system.
To address this issue, Pulse Secure released an
out-of-band patchon April 24, 2019.
While on August 24, 2019, security intelligence firm Bad Packets was able to discover
14,528 unpatchedPulse Secure servers, a subsequent scan as of last month yielded
2,099 vulnerable endpoints, indicating that a vast majority of organizations have patched their VPN gateways.
Unpatched VPN Servers Become Lucrative Target
The fact that there are still over thousands of unpatched Pulse Secure VPN servers has made them a lucrative target for bad actors to distribute malware.
A report from ClearSky found Iranian state-sponsored
hackers using CVE-2019-11510, among others, to penetrate and steal information from target IT and telecommunication companies across the world.
According to an
NSA advisoryfrom October 2019, the "exploit code is freely available online via the Metasploit framework, as well as GitHub. Malicious cyber actors are actively using this exploit code."
In a similar alert issued last year, the UK's National Cyber Security Centre (
NCSC) warned that advanced threat groups are exploiting the vulnerability to target government, military, academic, business, and healthcare organizations.
More recently,
Travelex, the foreign currency exchange and travel insurance firm, became a victim after cybercriminals planted Sodinokibi (REvil)
ransomwareon the company's networks via the Pulse Secure vulnerability. Although the ransomware operators demanded a ransom of $6 million (£4.6 million), a
Wall Street Journalreport last week said it paid $2.3 million in the form of 285 Bitcoin to resolve its problem.
In the face of ongoing attacks, it's recommended that organizations upgrade their Pulse Secure VPN, reset their credentials, and scan for unauthenticated log requests and exploit attempts.
CISA has also suggested removing any unapproved remote access programs and inspecting scheduled tasks for scripts or executables that may allow an attacker to connect to an environment.
For more steps to mitigate the flaw, head to
NSA's advisory here.
via https://www.aiupnow.com by noreply@blogger.com (Ravie Lakshmanan), Khareem Sudlow