The United States Cybersecurity and Infrastructure Security Agency (CISA) issued a new advisory, warning all the companies to change their Active Directory credentials to safeguard them from cyberattacks using a known remote code execution (RCE) vulnerability in Pulse Secure VPN servers—even though it has been already patched.
Three months ago, CISA alerted all the users and administrators to patch Pulse Secure VPN environments to prevent attacks exploiting the vulnerability.
According to CISA, the attackers who have successfully exploited the flaw which has been dubbed CVE-2019-11510 and stolen victim organization’s credentials will still be able to access the organization’s network, even if the organization has patched this vulnerability but did not change those stolen credentials.
A new tool has been released by CISA to help network administrators check for any indicators of compromise associated with the flaw.
The Remote Code Execution flaw which is a pre-authentication arbitrary file read vulnerability could let remote unauthenticated attackers to compromise vulnerable VPN servers and gain access to all active users and their plain-text credentials, and execute arbitrary commands.
The flaw arises because the directory traversal is hard-coded to be allowed if a path contains “dana/html5/acc,” thus permitting an attacker to send specially crafted URLs to read sensitive files, such as “/etc/passwd” that contains information about each user on the system.
In order to address this issue, Pulse Secure released an out-of-band patch on April 24, 2019.
In August, 2019, security intelligence firm Bad Packets managed to find 14,528 unpatched Pulse Secure servers, and in a later scan conducted last month found 2,099 vulnerable endpoints. This shows that a vast majority of organizations have patched their VPN gateways.
But the existence of more than thousands of unpatched Pulse Secure VPN servers has made them a profitable target for attackers to distribute malware.
According to a report from ClearSky, Iranian state-sponsored hackers were found to be using CVE-2019-11510, among others, to infiltrate and steal information from target IT and telecommunication companies across the world.
The exploit code is freely available online via the Metasploit framework, as well as GitHub and are used by malicious cyber actors.
As there are several ongoing attacks, it is highly recommended that the companies must update their Pulse Secure VPN, reset their credentials, and scan for unauthenticated log requests and exploit attempts.
CISA also urges the users to remove any unapproved remote access programs and inspect scheduled tasks for scripts or executables that may allow an attacker to connect to an environment.