The Department of Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA) gave an advisory to all companies that use Pulse Secure VPN servers regarding the likelihood of not preventing cyberattacks even after patching vulnerabilities. CISA is informed that attacks are still happening even after applying patches to deal with known vulnerabilities.
CISA released a warning around a year ago telling companies to patch a vulnerability (CVE-2019-1151) identified in Pulse Secure Virtual Private Network appliances because of a high danger of exploitation. A lot of companies did not apply the patch quickly, and hackers took advantage.
CVE-2019-1151 is an arbitrary file reading vulnerability that affects Pulse Secure VPN equipment. The vulnerability was discovered in the spring of 2019 and Pulse Secure issued a patch to fix the vulnerability in April 2019. A number of identified advanced persistent threat groups have exploited the vulnerability and stole information as well as installed malware and ransomware. Exploiting the vulnerability and taking credentials allowed the attackers to have ongoing network access even after patching the vulnerability, when there was no change in the credentials.
CISA noticed threat actors exploiting the vulnerability to install ransomware at a number of government agencies and hospitals, even after applying the patches.
- First, hackers exploited the vulnerability to get access to the network by means of vulnerable VPN devices.
- Second, the threat actors were able to obtain plaintext Active Directory credentials and used the related accounts with external remote services for access and for lateral movement.
- Third, the attackers installed ransomware and malware and/or exfiltrated and sold sensitive company data.
The attackers employed Tor infrastructure and virtual private servers to reduce the probability of detection while they were linked to the victims’ VPN machines. A lot of victims were unable to detect the compromise as their antivirus and intrusion detection solutions did not identify the suspicious remote access because the attackers used legitimate login credentials and remote services. Several attackers utilized LogMeIn and TeamViewer to make sure they had continual access even when the main connection was gone.
When patches are implemented to deal with vulnerabilities that are identified to be actively exploited in real-world attacks, businesses then ought to conduct analyses to figure out if the vulnerability was already exploited to get network access. Patching will avert threat actors from further exploiting the vulnerability, however, in case a network compromise already happened, using the patch will not push the attackers out of systems.
CISA has now created a tool that organizations can use to know if the Pule Secure VPN vulnerability was already exploited. The tool could be used to browse the log files of Pulse Secure VPN servers to find out if the gateway was compromised. Besides helping system administrators triage logs, the tool will also check for Indicators of Compromise (IoCs) connected with the exploitation of the Pulse Security vulnerability.
When organizations discover evidence of suspicious, malicious or anomalous activity or records, they ought to take into consideration reimaging the workstation / server and redeploying back into the environment. CISA suggests carrying out inspections to make sure the infection is gone even with reimaging the workstation or host.
Besides doing the scans, CISA suggests altering Active Directory passwords and performing a search for unauthorized apps, scheduled tasks, and any remote access apps that were installed that the IT departments did not approve. Scans must be done to discover any remote access Trojans and malware that might have been set up.
A lot of organizations that utilize VPN servers for remote access never have multi-factor authentication, meaning that any compromised credentials could be utilized to obtain access to networks through the VPN gateways. With multi-factor authentication set up, using stolen credentials becomes a lot tougher, as a second factor will be needed before granting access.