Attackers have been actively scanning for endpoints running certain versions of the popular Pulse Secure VPN software, vulnerable to a critical remotely exploitable (RCE) vulnerability, that was first disclosed in July 2019.
In June 2020, Black Kingdom ransomware operators gained initial access to enterprise infrastructures via Pulse Secure VPN vulnerability (CVE-2019-11510) by impersonating a legitimate scheduled task for Google Chrome, with a single letter making the difference.
REDTEAM.PL researchers found that the malicious task was named GoogleUpdateTaskMachineUSA, which was trying to pose as the legitimate task ‘GoogleUpdateTaskMachineUA’.
The malicious Black Kingdom task ‘GoogleUpdateTaskMachineUSA’ executes a PowerShell code that downloads a script named “reverse.ps1,” to open a reverse shell on a haсked host.
Not a new vulnerability
This is not the first time when this vulnerability was exploited. Earlier also, the attackers were seen targeting unpatched Pulse Secure VPN servers by exploiting CVE-2019-11510.
In May 2020, a ransomware attack targeted a law firm Grubman Shire Meiselas & Sacks as one of its associated domains was using an unpatched Pulse Secure VPN server.
In April 2020, hackers used stolen Active Directory credentials to deploy a ransomware attack on the systems of U.S. hospitals and government entities after exploiting the vulnerability in associated Pulse Secure VPN servers.
In January 2020, REvil (Sodinokibi) ransomware attacked Travelex by leveraging the vulnerability in Pulse Secure VPN enterprise solution. In the same month, the ransomware operators exploited unpatched Pulse Secure VPN servers to gain a foothold and disable antivirus.
Immediate action required
Pulse Secure LLC released the patch for this vulnerability in August 2019. The US Cybersecurity and Infrastructure Security Agency (CISA) warned organizations to patch their Pulse Secure VPN servers in January 2020 and April 2020. Organizations should apply the software patch immediately to reduce the risk.