The United States Cybersecurity and Infrastructure Security Agency (CISA) has recently issued an advisory urging organizations to update all Active Directory credentials to enhance security against cyberattacks exploiting a known remote code execution (RCE) vulnerability within Pulse Secure VPN servers, regardless of whether they have applied patches. This warning follows a previous alert from CISA issued three months earlier that reiterated the necessity of addressing vulnerabilities within Pulse Secure VPN environments to protect against potential exploits.
CISA has noted that threat actors who have already compromised an organization using CVE-2019-11510 could still navigate laterally through the organization’s network even after a patch has been deployed, provided that the stolen credentials remain unchanged. Consequently, organizations are advised to take immediate action to safeguard their networks.
In conjunction with this advisory, CISA has made available a tool designed to assist network administrators in detecting indicators of compromise associated with this flaw. The vulnerability, designated CVE-2019-11510, is particularly concerning as it allows unauthenticated remote attackers to access sensitive user credentials and execute commands on compromised VPN servers.
The flaw arises from a directory traversal issue that allows specially crafted URLs to read sensitive files, raising significant security concerns. Pulse Secure addressed this vulnerability with an out-of-band patch released in April 2019, yet a substantial number of vulnerable servers still exist. Reports indicated that out of more than 14,500 identified unpatched servers, approximately 2,099 remained vulnerable recently, highlighting a persistent weakness exploited by malicious actors.
The ongoing presence of unpatched Pulse Secure VPN servers has rendered them attractive targets for cybercriminals aiming to distribute malware. A report from ClearSky identified state-sponsored Iranian hackers leveraging CVE-2019-11510 to infiltrate and siphon sensitive information from IT and telecommunications firms globally. Furthermore, the exploit code for this vulnerability is widely accessible online, including on platforms like GitHub and within the Metasploit framework, enabling malicious actors to execute attacks with relative ease.
In past advisories, the UK’s National Cyber Security Centre has similarly warned that advanced threat groups are capitalizing on this vulnerability, targeting sectors such as government, military, healthcare, and education. A recent case involved Travelex, a foreign exchange and travel insurance firm that was targeted with ransomware via the Pulse Secure vulnerability, ultimately leading to the payment of a multi-million-dollar ransom to regain control of their systems.
In light of these developments, it is crucial for organizations to not only apply patches to their Pulse Secure VPN but also to reset their credentials and conduct thorough scans for any unauthorized access attempts. CISA further recommends eliminating unapproved remote access tools and meticulously reviewing scheduled tasks for any scripts or executables that may facilitate unauthorized connections.
As the threat landscape evolves, organizations must remain vigilant in their cybersecurity practices. For comprehensive guidance on mitigating the risk associated with this vulnerability, the NSA has published additional recommendations that can be accessed through their advisory.