Share this article on:
The Department of Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA) has issued a warning to all organizations using Pulse Secure VPN servers that patching vulnerabilities will not necessarily prevent cyberattacks. CISA is aware of attacks occurring even after patches have been applied to address known vulnerabilities.
CISA issued an alert about a year ago warning organizations to patch a vulnerability (CVE-2019-1151) in Pulse Secure Virtual Private Network appliances due to a high risk of exploitation. Many companies were slow to apply the patch, and hackers took advantage.
CVE-2019-1151 is an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances. The vulnerability was identified in the spring of 2019 and Pulse Secure released a patch to address the vulnerability in April 2019. Several advanced persistent threat groups are known to have exploited the vulnerability to steal data and install malware and ransomware. By exploiting the vulnerability and stealing credentials, the attackers were able to gain persistent access to networks even after the vulnerability was patched, if credentials were not also changed at the same time.
CISA observed threat actors exploiting the vulnerability to deploy ransomware at several government agencies and hospitals, even after patches had been applied. First, the vulnerability was exploited to gain access to the network through vulnerable VPN devices. The threat actors were then able to obtain plaintext Active Directory credentials, and those accounts were used with external remote services for access, remote services for lateral movement, and the attackers then deployed ransomware and malware and/or exfiltrated and sold sensitive company data.
The attackers used Tor infrastructure and virtual private servers to minimize the chance of detection when they were connected to victims’ VPN appliances. Many victims failed to detect the compromise as their antivirus and intrusion detection systems did not detect the remote access as suspicious, as genuine login credentials and remote services were used. Some attackers used LogMeIn and TeamViewer to ensure they had persistent access even if the primary connection was lost.
When patches are applied to address vulnerabilities that are known to be actively exploited in real world attacks, organizations then need to conduct analyses to determine if the vulnerability has already been exploited to gain access to their networks. Patching will prevent any further threat actors from exploiting the vulnerability, but if a network compromise has already occurred, applying the patch will not kick the attackers out of systems.
CISA has now developed a tool that can be used by organizations to determine if the Pule Secure VPN vulnerability has already been exploited. The tool can be used to scan the log files of Pulse Secure VPN servers to determine if the gateway has been compromised. In addition to helping system administrators triage logs, the tool will also scan for Indicators of Compromise (IoCs) associated with exploitation of the Pulse Security vulnerability.
“If organizations find evidence of malicious, suspicious, or anomalous activity or files, they should consider reimaging the workstation or server and redeploying back into the environment. CISA recommends performing checks to ensure the infection is gone even if the workstation or host has been reimaged,” wrote CISA.
In addition to performing the scans, CISA recommends changing Active Directory passwords and conducting a search for unauthorized applications, scheduled tasks, and any remote access tools that have been installed that have not been approved by the IT departments. Scans should also be performed to identify any remote access Trojans and other malware that may have been installed.
Many organizations that use VPN servers to allow remote access do not use multi-factor authentication, which means that any stolen credentials can be used to gain access to networks via the VPN gateways. With multi-factor authentication in place, use of stolen credentials becomes much harder, as a second factor will be required before access is granted.