Pulse Secure, a provider of secure VPN, urged customers today to immediately apply a security patch if they have not yet done so. The advice comes from reports over the last few days of attackers exploiting a flaw to deliver ransomware on enterprise systems. It can even be used to delete data backups and disable endpoint security tools.
This flaw has been present for some time and Kevin Beaumont who first reported the attacks this weekend have outlined its backstory since it was discovered in April 2019. It is believed that it was this flaw that was used to attack travel insurance and currency exchange provider Travelex, which experienced a massive service disruption this week following a reported ransomware attack on its systems on New Year's Eve.
This flaw, that exists in multiple versions of Pulse Connect Secure and Pulse Policy Secure, gives remote attackers a way to connect via HTTPS to an enterprise network without needing any valid username or password. Attackers can use the flaw to view logs and files, turn-off multifactor authentication, download arbitrary files, and execute malicious code on enterprise networks.The attacker can also see cached passwords in plain text, including Active Directory account passwords.
According to threat intelligence firm Bad Packets, at least 3,825 Pulse Secure VPN servers remain unpatched and vulnerable to attack as of January 3, 2020. More than 1,300 of the vulnerable systems are located in the United States. According to Kevin Beaumont, Travelex had seven unpatched Pulse Secure servers when it was attacked on New Year's Eve.
It is strongly suggested that if you use Pulse Connect Secure or Pulse Policy Secure that you take this seriously and ensure that you have applied all the latest patches. Ransomeware like Sodinokibi, also known as REvil, is no joke and it can cripple or even destroy companies it affects.