Stolen passwords can be used to access internet networks of companies that have patched Pulse Secure VPN products
Pulse Secure VPNs got compromised, and attackers managed to stole credentials, passwords, and other information that is possibly now used to hack customers. CISA alerts organizations to be cautious and change their Active Directory credentials as a method to defend from cyberattacks.
A known vulnerability in Pulse Secure VPN servers can be leveraged and used to execute the remote code. This can even work on patched servers, as The United States Cybersecurity and Infrastructure Security Agency reports:
Threat actors who successfully exploited CVE-2019-11510 and stole a victim organization's credentials will still be able to access — and move laterally through — that organization's network after the organization has patched this vulnerability if the organization did not change those stolen credentials.
Pulse Secure VPN servers – an enterprise-grade VPN gateway that companies use to securely connect workers to the company networks. The major vulnerability was disclosed in various products last year, and even though it got patched, hacker groups still can exploit it. Fortunately, CISA released a tool to help network administrators with this flaw.
CVE-2019-11510 – a remote code execution flaw
When the flaw gets exploited, the attacker can infect the vulnerable VPN server or servers and gain access to other parts of the network. Unfortunately, there are many functions that can get run after such infiltration, so credentials, passwords can be stolen. Also, arbitrary command execution and malware installation are possible.
This flaw can be used to steal plaintext Active Directory credentials. When the targeted organizations do not change all passwords, these hackers can use such AD credentials and regain access to the network even after the patching. These patches were released a year ago, and many organizations, unfortunately, do not apply the fix then.
In a few months, many researchers started to warn about possible methods that attackers can open ports and look for unpatched servers. During this time, it was discovered that attackers used these flaws to install malware. Additional reports in March 2020, showed that there are still 2,100 Pulse Secure VPN servers vulnerable, so many organizations still can be exposed to this day.
Possible consequences of leaving the Pulse Secure VPN unpatched still
There are still unpatched Pulse Secure VPN servers, and customers can become a lucrative target of malicious actors and get malware like ransomware that creates even more damage than remote code execution. Many companies still run these products with single-factor authentication, and attackers can easily access these networks using the stolen credentials.
The ability to both increase authentication requirements beyond a single factor and perform continuous identity based monitoring around the misuse of credentials is an essential part of modern enterprise security architecture.
Unfortunately, some of the organizations have faced the consequences already. Hackers have taken advantage of unpatched Pulse Secure VPN products to access to networks and even spread ransomware that later on leads to ransom demands and losses of huge amounts of money.
CISA suggests removing any unapproved remote access programs and inspect scheduled tasks for any executables and scripts that can allow attackers to connect to the environment.