The Cybersecurity and Infrastructure Security Agency (CISA) has released an alert to Pulse Secure customers instructing them to apply the patch for the 2019 Pulse Secure VPN vulnerability, labeled as CVE-2019-11510.
Cybercriminals are continually attacking unpatched Pulse Secure VPN servers. The threat actors install the Sodinokibi (REvil) ransomware in the unpatched Pulse Secure VPN servers they target when exploiting CVE-2019-11510. A number of attacks were already reported in January 2020. Aside from encrypting data, the threat actors steal the data and threaten the victims that they will publish the sensitive data. Last week, there was information owned by Artech Information Systems that was published because of the non-payment of the ransom.
CISA still see extensive exploitation of vulnerability CVE-2019-11510 by various threat actors. Some are country-state sponsored advanced persistent attackers exploiting the vulnerability with the intention to steal data, passwords, and install malware.
Exploiting vulnerability CVE-2019-11510 could make it possible for a remote, unauthorized attacker to access all active VPN users and get their plain-text passwords. CISA explains that an attacker could also execute arbitrary code on VPN clients in case they are able to connect to an unpatched Pulse Secure VPN server.
Pulse Secure published an advisory regarding the vulnerability on April 24, 2019 and released patches to fix the vulnerability on all Pulse Connect Secure and Pulse Policy Secure versions affected. However, lots of organizations are slow in applying the patches. Because there are no mitigations or alternative fixes that may be used to avoid vulnerability exploitation, the only option is to use the patches from Pulse Secure.
CISA has advised all institutions to use the patches without delay to avoid vulnerability exploitation. There are approximately 10% of Pulse Secure customers vulnerable to the attack because they have not applied the patch.