Written by Howard Ngork
If firewall is a castle’s moat and exterior wall to a corporate network, loosely speaking, then a drawbridge would be the VPN into the network. A VPN can be used for restricting access to protected resources with a secure connection. But, what use is this control device if the inner workings can be exposed? In this post, we explore several vulnerabilities which have been exploited in recent ransomware attacks that netted cybercriminals 6 and 7-figure ransom amounts. VPN attacks have and always will be an attack vector; however, as the ongoing COVID-19 pandemic shifts the global workforce to a telework model, cybercriminals are paying more attention to and developing attacks exploiting vulnerabilities associated with remote access.
In April 2019, two security researchers (Orange Tsai and Meh Chang) revealed multiple vulnerabilities related to Pulse Secure’s “Pulse Connect Secure” (PCS), a VPN solution. In response, Pulse Secure released patches to fix the issues; however, not all organizations took action and to this day, there are still unpatched PCS devices floating on the internet (albeit most likely from test environments).
Unpatched versions of Pulse Secure PCS can allow an unauthenticated remote attacker the ability to perform an arbitrary file read (CVE-2019-11510). This is done through an HTTP request containing a unique Uniform Resource Identifier (URI) and a directory traversal. To make matters worse, proof-of-concepts have been published online and public Metasploit modules exist that even a script kiddie could use. With the ability to read files with CVE-2019-11510, there are 2 files of interest for an attacker:
The first file contains a list of users and their hashed passwords. Given enough time and resources, dictionary and brute force attacks can crack these hashes, yielding proper credentials to log into the network. An attacker could then access the organization’s network and resources as a remote employee. Chaining another attack on this vector is CVE-2019-11508, a vulnerability in the Network File Share (NFS) which allows any authenticated user to upload files and write to the local system.
The second readable file is a database which contains a user’s password when logging into the administrative interface of the Pulse VPN device. Not only was this database found to be unencrypted, the stored password itself is in plain text. To further escalate this attack, there is a vulnerability within the administrative web interface (CVE-2019-11539) that can be used to inject and execute commands on the host.
Linking multiple vulnerabilities together, an attacker can fully compromise a Pulse VPN device whose main purpose is to keep attackers at bay and restrict users. With valid credentials, the attacker can assume the position of a remote employee, access/exfiltrate sensitive data, and encrypt an organization’s network.
Even though CVE-2019-11510 is a year old and has been patched by many organizations, if an attacker previously had the chance to dump the credentials from the VPN device, users could still be at risk if passwords have not been changed. A prime example of this occurred on December 31st, 2019 when Travelex systems were taken offline by a cyber attack. Travelex supposedly patched its Pulse VPN server in early November, but the damage was already done, as threat actor managed to obtain the sensitive files before the patch was applied. With credentials exposed, it was only a matter of time before the main attack occurred.
We have seen more instances of such attacks over the last few weeks, in which cybercriminals leveraged these and similar vulnerabilities to gain unauthorized access to corporations and follow on with ransomware attacks. The ransomware attacks have evolved from encrypting data and systems (as more organizations have successfully deployed backup solutions) to theft of sensitive data and extortion threats of public exposure or shaming. Unfortunately, many of these attacks resulted in victims paying high 6 and even 7-figure ransom demands.
As more attention has been brought to Pulse Secure PCS, additional vulnerabilities have been disclosed, with CVE-2020-11580 (Improper Certificate Validation), CVE-2020-11581 (OS Command Injection), and CVE-2020-11582 (Permissions, Privileges, and Access Controls) reported just this month. While Pulse Secure has been named in this post, it is important to emphasize it is not the only VPN solution with vulnerabilities. Other popular services are similarly targeted by cybercriminals.
In the current environment, as IT administrators work to support their organization’s telework needs with increased remote access through VPNs, Citrix environments and RDPs, it is imperative to prevent attacks targeting remote access vulnerabilities. As such, we recommend IT administrators formulate a strategy to address the following:
About the AuthorHoward Ngork is a Senior Security Engineer at Q6 Cyber. His professional experience dates back to his active duty as a United States Marine working with the DoD supporting a range of network security initiatives. Now, he devotes all his time to threat hunting.