SoylentNews

martyb [soylentnews.org] writes:

The Department of Homeland Security (DHS) is urging companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, after several cyberattacks targeted companies who had previously patched a related flaw in the VPN.

[...] Government officials say before the patches were deployed, bad actors were able to compromise Active Directory accounts. So even those who have patched for the bug could still be compromised and are vulnerable to attack.

At the heart of the advisory is a known, critical Pulse Secure arbitrary file reading flaw [tenable.com] that opens systems to exploitation from remote, unauthenticated attackers to gain access to a victim’s networks. Tracked as CVE-2019-11510, the bug was patched by Pulse Secure in April 2019, and many companies impacted by the flaw issued the fix to address the vulnerability since then.

[...] Attackers have already exploited the flaw to snatch up victims’ credentials – and now are using those credentials to move laterally through organizations, DHS’ Cybersecurity and Infrastructure Security Agency (CISA) warned in the Thursday alert.

[...] “CISA strongly urges organizations that have not yet done so to upgrade their Pulse Secure VPN to the corresponding patches for CVE-2019-11510,” according to CISA’s alert [us-cert.gov]. “If—after applying the detection measures in this alert—organizations detect evidence of CVE-2019-11510 exploitation, CISA recommends changing passwords for all Active Directory accounts, including administrators and services accounts.”

The flaw exists in Pulse Connect Secure, Pulse Secure’s SSL VPN (virtual private network) platform used by various enterprises and organizations. Exploitation of the vulnerability is simple, which is why it received a 10 out of 10 CVSS ranking. Attackers can exploit the flaw to get initial access on the VPN server, where they’re able to access credentials. A proof of concept (PoC) was made public [tenable.com] in August 2019. During that time, Troy Mursch with Bad Packets identified over 14,500 Pulse Secure VPN endpoints that were vulnerable [badpackets.net] to this flaw. In a more recent scan, on Jan. 3, 2020 [twitter.com], Mursch said 3,825 endpoints remain vulnerable.

[...] In addition to urging organizations update credentials on accounts in Active Directory, which is the database keeps track of all organizations’ user accounts and passwords, CISA has also released a new tool [github.com] to help network admins sniff out any indicators of compromise on their systems that are related to the flaw.

Original Submission