Widely Known Flaws in Pulse Secure VPN and Android Phones Exploited in the Wild to Launch Attacks

  • The flaw tracked as CVE-2019-1150 affects Pulse Secure VPN and has been rated ‘Highly’ critical.
  • Android phones are affected by a Binder vulnerability tracked as CVE-2019-2215.

Targeting unpatched devices or products can wreak havoc worldwide. Lately, cybercriminals have been found exploiting the existing vulnerabilities in Pulse Secure VPN and Android Phones to launch cyberattacks on individuals and organizations.

The exploitation of CVE-2019-1150

UK-based security researcher Kevin Beaumont, who claims REvil to be ‘big game ransomware’ has described that at least two organizations have been compromised by exploiting the Pulse Secure VPN flaw. The flaw has been adopted by cybercriminals to push ransomware.

Among those believed to be affected in the ongoing campaign is the travel insurance and currency exchange provider Travelex. The attack involved the use of REvil ransomware. This forced the company to take all of its systems offline and resort to manual operations at branches nationwide.

The flaw tracked as CVE-2019-1150, has been rated ‘Highly’ critical. This arbitrary read file vulnerability affects multiple versions of Pulse Connect Secure and Pulse Policy Secure. It gives remote attackers a way to connect via HTTPS to an enterprise network without the requirement of any valid username or password.

Attackers can use the flaw to view logs and files, turn-off multifactor authentication, download arbitrary files and execute malicious code on enterprise networks.

Pulse Secure has released a security update to address the issue in April 2019 and users are urged to apply the patches immediately to mitigate such attacks.

The exploitation of CVE-2019-2215

The SideWinder APT group were found actively abusing a Binder vulnerability in at least three apps found in the Google Play Store. The three malicious apps were Camera, FileCrypt and callCam. The malicious apps were disguised as photography and file manager tools and had been active since March 2019.

“These apps may be attributed to SideWinder as the C&C servers it uses are suspected to be part of SideWinder’s infrastructure. In addition, a URL linking to one of the apps’ Google Play pages is also found on one of the C&C servers,” explained Trend Micro researchers in their blog post.

The flaw, tracked as CVE-2019-2215, affects several Android devices, including Pixel 1 and 2 phones. The flaw can allow an elevation privilege from an application to the Linux kernel. It does require either the installation of a malicious local application or a separate vulnerability in a network-facing application.

Upon discovery, Google has removed these apps from its Play Store.