Vulnerabilities in Pulse Secure VPNs have been broadly abused, by almost every hacker group from nation-state threat actors to ransomware gangs.
Long been a sitting duck
Over 80% of Fortune 500 companies and 23,000 enterprises, including 18 million endpoints, employ Pulse Secure VPN to securely connect to corporate networks. However, Pulse Secure VPN servers have been a frequent target for exploitation and remote code execution.
In some cases, cybercriminals take control of the Pulse Secure VPN servers and then penetrate a company’s internal network to deploy malware, install ransomware, or pilfer intellectual property even after companies patch their VPN servers.
While examining a customer’s deployment of Pulse Secure VPN, GoSecure, a security firm, discovered a code execution vulnerability, tracked as CVE-2020-8218, on the system running the VPN. The flaw could be used by attackers to take control of an organization's entire network if left unpatched.
Clothing retailer Monsoon Accessorize was found employing unpatched Pulse Connect Secure VPN servers, putting it at risk of an attack. According to researchers, the servers contained critical vulnerabilities that could allow attackers to see active users on the company’s VPN, as well as their plaintext passwords.
Off to the dark web
Active since 2017, Pioneer Kitten, an Iranian hacking group, has recently started selling access to vulnerable corporate and government networks utilizing VPN servers on underground forums. Along with some other well-known vulnerabilities in VPN servers, the hackers are selling access to a file-reading vulnerability found in unpatched Pulse Connect Secure enterprise VPN servers in an attempt to generate cash.
Russian-speaking hackers posted more than 900 Pulse Secure VPN server usernames and passwords on the dark web. The list comprised Pulse Secure VPN server firmware version, all local users and password hashes, SSH server keys, previous VPN logins with cleartext credentials, administrator account details, and session cookies.
Don’t just patch up
Organizations failing to apply patches in a timely manner will continue to attract the attention of malicious actors who aim to exploit unpatched Pulse Secure VPN servers. However, patching is not always the solution. Some companies are getting hacked even after patching their Pulse Secure VPNs. In such cases, they can consider changing passwords for all their active directory accounts, including services and administrators accounts.