VPN warning: REvil ransomware targets unpatched Pulse Secure VPN servers

State-backed hacking group steps up campaign against VPN services
If you’re on Fortinet, Palo Alto, Pulse Secure, patch now, warns UK spy agency

Cybercriminals who use the REvil (Sodinokibi) ransomware to extort large organizations are now targeting unpatched Pulse Secure VPN servers to gain a foothold and disable antivirus. 

A security researcher is urging organizations that use Pulse Secure VPN to patch now or face ‘big game’ ransomware attacks by criminals who can easily use the Shodan.io IoT search engine to identify vulnerable VPN servers. 

The REvil (Sodinokibi) ransomware was used in an attack last month on NASDAQ-listed US data-center provider CyrusOne and, over the summer, against several managed service providers, 20 Texas local governments, and over 400 dentist offices. 

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

UK security researcher Kevin Beaumont puts REvil in the ‘big game’ category because criminals have employed it to encrypt critical business systems and demand huge sums of money. The ransomware strain, discovered in April, initially used a vulnerability in Oracle WebLogic to infect systems. 

The Pulse Secure VPN servers being targeted with REvil haven’t been applied with patches flagged in warnings from the US CISA, US National Security Agency and the UK’s National Cybersecurity Centre in October. The warnings followed evidence that state-backed hackers were exploiting flaws in both Pulse Secure and Fortinet VPN products. 

Now the flaw has been adopted by cybercriminals, probably because it’s such a potent bug. 

Beaumont notes that the Pulse Secure VPN bug is “incredibly bad” because it allows remote attackers, without valid credentials, to remotely connect to the corporate network, disable multi-factor authentication, and remotely view logs and cached passwords in plain text, including Active Directory account passwords. 

Two incidents he’s detected in the past week employed the same basic strategy: gain access to the network, grab domain admin controls, and then use the open-source VNC remote-access software to move around the network. 

SEE: Ransomware attack hits major US data center provider

After that, all endpoint security tools were disabled and REvil (Sodinokibi) was pushed to all systems via PsExec, an Windows remote administrative utility that allows users to launch “interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems”. 

According to a January 4 scan by security firm Bad Packets, there were 3,825 Pulse Secure VPN servers that hadn’t been patched for the flaw CVE-2019-11510 – one of the two Pulse Secure VPN flaws in the October alerts. Over 1,300 of those vulnerable VPN servers were based in the US.  

Pulse Secure said most of its customers have now successfully applied the fix it issued in April 2019 and are no longer vulnerable. 

“But unfortunately, there are organizations that have yet to apply this patch,” Pulse Secure CMO Scott Gordon told ZDNet. 

“Of the original 20,000-plus VPN servers that Bad Packets originally reported as vulnerable back in August, less than 5% remain vulnerable. We continue to urge customers to patch their VPN systems – this server-side patch does not require updating the client.”

More on VPN security and ransomware