VPN Vulnerability Actively Being Exploited In The Wild…. Yikes!

If you have a Pulse Secure VPN, you should be aware of an urgent patch that needed to be applied back in April of last year. The vulnerability that this patch fixes is CVE-2019-11510 and can basically be abused to extract plain-text passwords, and other secrets, from networks without any authentication. Or put another way, it allows people without valid usernames and passwords to remotely connect to the corporate network the device is supposed to protect, turn off multi-factor authentication controls, remotely view logs and cached passwords in plain text. And that includes Active Directory account passwords.

In case you are wondering, that’s very, very bad.

Now let’s pretend for a second that you did not apply this patch last April. Or you didn’t know about it. Well you might be in deep trouble as there’s a group that is now actively exploiting this vulnerability to pwn networks with ransomware. The latest victim to get pwned so far is UK based Travelex according to this article:

Travelex, the foreign currency exchange and travel insurance company, appears to be the latest victim of the group. On New Year’s Eve, the company was hit by Sodinokibi ransomware, also known as REvil. The ransomware operators contacted the BBC and said they want Travelex to pay $6m (£4.6m). They also claimed to have had access to Travelex’s network for six months and to have extracted five gigabytes of customer data—including dates of birth, credit card information, and other personally identifiable information.

“In the case of payment, we will delete and will not use that [data]base and restore them the entire network,” the individual claiming to be part of the Sodinokibi operation told the BBC. “The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base.”

The group who are behind these attacks have seven victims so far, and that number is likely to grow. Bad Packets Report’s Troy Mursch ran a vulnerability scan finding that thousands of Pulse Secure VPN servers worldwide remain vulnerable. Which means that the pwnage has the potential to be epic. Thus if you’re using a Pulse Secure VPN, you should get to patching it now. As in right now. Seriously. Drop everything and do it now.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: