CISA Alerts of Continuous Cyberattacks on Pulse Secure VPNs Despite Patching

The Department of Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA) released an alert to all businesses that utilize Pulse Secure VPN servers concerning the probability of not avoiding cyberattacks despite patching vulnerabilities. CISA is advised that attacks are still taking place even after implementing patches to resolve identified vulnerabilities.

CISA published an advisory roughly a year ago telling businesses to patch a vulnerability (CVE-2019-1151) discovered in Pulse Secure Virtual Private Network equipment caused by a high chance of exploitation. Numerous organizations did not implement the patch immediately, and cybercriminals took advantage.

CVE-2019-1151 is an arbitrary file reading vulnerability impacting Pulse Secure VPN machines. The vulnerability was found in the spring last year and Pulse Secure launched a patch to resolve the vulnerability last April 2019. A few advanced persistent threat gangs are noted to have taken advantage of the vulnerability and copied information and download ransomware and malware. By taking advantage of the vulnerability and thieving information, the attackers can obtain continual system access even after applying the patch, in case there was no modification in the credentials.

CISA found threat actors taking advantage of the vulnerability to download ransomware at a couple of government agencies and medical centers, even after implementing the patches.

First, cybercriminals took advantage of the vulnerability to access the network via vulnerable VPN products.

Second, the attackers could get plaintext Active Directory credentials, and used the related accounts with external remote services for access and for lateral movement.

Third, the threat actors deployed malware and ransomware and/or exfiltrated and offered for sale sensitive organization data.

The threat actors utilized Tor infrastructure and virtual private servers to limit the likelihood of detection each time they were hooked up to the victims’ VPN devices. Numerous victims were unsuccessful in identifying the compromise because their antivirus and attack detection tools did not recognize the shady remote access considering that the attackers utilized real sign-in credentials and remote services. A number of attackers employed LogMeIn and TeamViewer to make certain they had consistent access even though the principal connection was missing.

When patches are used to resolve vulnerabilities that are regarded to be actively taken advantage of in real-world attacks, companies then must perform analyses to find out if the vulnerability was already used to obtain systems access. Patching will stop threat actors from further taking advantage of the vulnerability, although when a system compromise already transpired, implementing the patch won’t get the attackers out of networks.

CISA has now designed a solution that companies can utilize to discover if the Pule Secure VPN vulnerability was already taken advantage of. The solution may be utilized to search the record files of Pulse Secure VPN servers to know when the gateway was compromised. Aside from assisting system administrators triage logs, the solution will likewise search for Indicators of Compromise (IoCs) linked to the exploitation of the Pulse Security vulnerability.

In case organizations locate proof of malicious, anomalous or suspicious action or information, they need to look into reimaging the server or workstation and redeploying back into the world. CISA advises doing assessments to assure the infection is eliminated even when the host or workstation was reimaged.

Aside from carrying out the scans, CISA advises modifying Active Directory passwords and doing a lookup for unauthorized programs, planned tasks, and any remote access applications that were set up that the IT departments didn’t agree to. Scans need to be carried out to find any remote access Trojans and any malware that could have been deployed.

A number of companies that employ VPN servers for remote access don’t use multi-factor authentication, which suggests that any ripped off credentials may be employed to get access to systems by way of the VPN gateways. Having multi-factor authentication ready, usage of stolen credentials becomes significantly more difficult, as a second factor is going to be necessary before allowing access.