Pulse Secure VPN vulnerability targeted with ransomware

Threat actors appear to be exploiting vulnerable Pulse Secure VPN servers to hit enterprises with ransomware attacks, even though a patch has been available since April 2019.

A security researcher has discovered new ransomware attacks against enterprises with vulnerable Pulse Secure VPN servers.

Kevin Beaumont, a security researcher based in the U.K., said the Pulse Secure VPN vulnerability -- which was originally patched in April 2019 -- has been targeted in ransomware attacks recently. Beaumont noted in a blog post that he saw two incidents last week where the impacted companies "believed Pulse Secure was the cause of a breach, and used to deliver Sodinokibi (REvil) ransomware."

"In both cases the organisations had unpatched Pulse Secure systems, and the footprint was the same -- access was gained to the network, domain admin was gained, VNC [virtual network computing] was used to move around the network, and then endpoint security tools were disabled and Sodinokibi was pushed to all systems via psexec," Beaumont wrote.

He added that the recent ransomware attack against Travelex, a foreign exchange company based in London, was potentially due to the Pulse Secure VPN vulnerability because he found the company had seven unpatched servers. There was one incident in which Beaumont said the Pulse Secure VPN vulnerability was confirmed exploited to deliver ransomware, but no details were given for that attack. 

Pulse Secure said in a statement that it is urging "all customers to apply the patch fix."

"Pulse Secure publicly provided a patch fix on April 24, 2019, that should be immediately applied to the Pulse Connect Secure (VPN)," Scott Gordon, chief marketing officer at Pulse Secure, said. "The CVE-2019-1150 vulnerability is highly critical. Customers that have already applied this patch would not be vulnerable to this malware exploit."

Not the first attacks

Troy Mursch, chief research officer for Bad Packets LLC, a security research company based in Chicago, has been tracking the Pulse Secure VPN vulnerability for months. The flaw was first attacked in August 2019 and at the time, Bad Packets said there were more than 14,500 vulnerable servers worldwide.

Since those attacks, warnings were issued by the Department of Homeland Security and National Security Agency urging users to patch.

On Jan. 3, Bad Packets reported on Twitter its most recent scan found 3,825 servers still vulnerable to the Pulse Secure flaw. Bad Packets also claimed it had notified Travelex about its vulnerable Pulse Secure VPN servers in September, but never received a response.

Next Steps

Zero-day flaw in Pulse Secure VPN exploited in attacks

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing