New Server Vulnerability - Pulse VPN

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

An initial advisory regarding a vulnerability in Pulse VPN servers (CVE-2019-11510) was released on April 24, 2019. The timeline of events since that first advisory include:

• April 24, 2019 – Pulse Secure releases initial advisory and software updates addressing multiple vulnerabilities.

• May 28, 2019 – Large commercial vendors get reports of vulnerable VPN through HackerOne.

• July 31, 2019 – Full RCE use of exploit demonstrated using the admin session hash to get complete shell.
• August 8, 2019 – Meh Chang and Orange Tsai demonstrate the VPN issues across multiple vendors (Pulse Secure) with a detailed attack on active VPN exploitation.

• August 24, 2019 – Bad Packets identifies over 14,500 vulnerable VPN servers globally that are still unpatched and in need of an upgrade.
• October 7, 2019 – The National Security Agency (NSA) produces a Cybersecurity Advisory on Pulse Secure and other VPN products actively targeted by advanced persistent threat actors.
• October 16, 2019 – The CERT Coordination Center (CERT/CC) releases Vulnerability Note VU#927237: Pulse Secure VPN contains multiple vulnerabilities
• January 2020 – Media reports cybercriminals now targeting unpatched Pulse Secure VPN servers to install REvil (Sodinokibi) ransomware

Aside from targeting Pulse VPN servers to install REvil ransomware, the FBI reports that unidentified threat actors have used the flaw "to exploit notable US entities" since August 2019. In August 2019, attackers were able to gain access to a US financial entity’s research network by exploiting servers unpatched against CVE-2019-11510. The vulnerability in Pulse Secure allowed directory transversal and access to a file where login credentials were written in plain text. In addition, the Pulse Secure appliance may have been vulnerable to buffer overflow and command injection.

During the same month, a US municipal government network was breached that exploited the same vulnerability. In this case, the threat actors were able to enumerate and exfiltrate user accounts, host configuration information, and session identifiers that enables additional access to the internal network.

Based on the sophistication of the Tactics, Techniques, and Procedures (TTPs) used in the two attacks, "the FBI believes unidentified nation-state actors are involved in both compromises; however, it remains unclear if these are isolated incidents."