The vulnerabilities in Pulse Secure VPNs have been broadly abused, by almost every hacker group. Read on to know more about it…
The security vulnerabilities in Pulse Secure VPNs have been broadly abused, by almost every hacker group from nation-state threat actors to ransomware gangs.
Favorite Target of Hackers
Over 80% of Fortune 500 companies and 23,000 enterprises, including 18 million endpoints, employ Pulse Secure VPN to securely connect to corporate networks. However, Pulse Secure VPN servers have been a frequent target for exploitation and remote code execution. In some cases, cybercriminals take control of the Pulse Secure VPN servers and then penetrate a company’s internal network to deploy malware, install ransomware, or pilfer intellectual property even after companies patch their VPN servers.
Last year, attackers behind the REvil ransomware gained access to the network of currency exchange Travelex, most likely by one or more critical Pulse Secure vulnerabilities administrators had left unpatched. Early this year, a rash of in-the-wild attacks exploited zero-day flaws in a Citrix VPN until the company managed to patch them.
While examining a customer’s deployment of Pulse Secure VPN, GoSecure, a security firm, discovered a code execution vulnerability, tracked as CVE-2020-8218, on the system running the VPN. The flaw could be used by attackers to take control of an organization’s entire network if left unpatched.
Clothing retailer Monsoon Accessorize was found employing unpatched Pulse Connect Secure VPN servers, putting it at risk of an attack. According to researchers, the servers contained critical vulnerabilities that could allow attackers to see active users on the company’s VPN, as well as their plaintext passwords.
Posted on Dark Web
Active since 2017, Pioneer Kitten, an Iranian hacking group, has recently started selling access to vulnerable corporate and government networks utilizing VPN servers on underground forums. Along with some other well-known vulnerabilities in VPN servers, the hackers are selling access to a file-reading vulnerability found in unpatched Pulse Connect Secure enterprise VPN servers in an attempt to generate cash.
Russian-speaking hackers posted more than 900 Pulse Secure VPN server usernames and passwords on the dark web. The list comprised Pulse Secure VPN server firmware version, all local users and password hashes, SSH server keys, previous VPN logins with cleartext credentials, administrator account details, and session cookies.
Although phishing attacks are old, they’re among the most effective ways to breach the defenses of not just consumers, but Fortune 500 and government organizations as well. The stakes are even higher given the current work-from-home regimen caused by the COVID-19 pandemic.
Organizations failing to apply patches in a timely manner will continue to attract the attention of malicious actors who aim to exploit unpatched Pulse Secure VPN servers. However, patching is not always the solution. Some companies are getting hacked even after patching their Pulse Secure VPNs. In such cases, they can consider changing passwords for all their active directory accounts, including services and administrators accounts.