Organizations that are running Pulse Security VPN devices may still be at risk of being exploited, even if previously patched, according to a new Department of Homeland Security (DHS) advisory. The risk is elevated if an actor previously exploited CVE-2019-11510 and stole AD credentials from the victim organization.
Although the VPN patch was released in April of 2019, threat actors continued to exploit CVE-2019-11510 throughout 2019 and into this year.
An unauthenticated remote attacker could exploit the arbitrary file reading VPN vulnerability to steal sensitive data, such as private keys and user passwords. To make matters worse, the attackers could then pivot to take advantage of other unpatched vulnerabilities.
Last August, hackers targeted and scanned thousands of unpatched Pulse Security VPN devices.
In September, UK cyber threat intelligence experts published an advisory describing how Advanced Persistent Threat (APT) actors continued to exploit these same VPN vulnerabilities.
Even in January of this year, DHS warned that attackers continued to target unpatched Pulse Secure VPN systems.
In the latest advisory released April 16, 2020, the DHS Cybersecurity and Infrastructure Security Agency (CISA) team said attackers can still exploit previously patched VPN devices in certain use cases:
“CISA is providing this update to alert administrators that threat actors who successfully exploited CVE-2019-11510 and stole a victim organization’s credentials will still be able to access—and move laterally through—that organization’s network after the organization has patched this vulnerability if the organization did not change those stolen credentials.”
DHS CISA
Furthermore, CISA confirmed some incidents where Active Directory credentials were even used months after the VPN patches were applied.
Detection tools and guidance
Unfortunately, some organizations may not know if they were ever compromised in the first place. To that end, CISA has provided a new tool and guidance that can help determine if indicators of compromise (IOCs) exist in the log files of a Pulse Secure VPN Appliance for CVE-2019-11510.
CISA also provided detection guidance to help organizations determine whether they are at risk for exploitation from compromises that occurred pre-patch, such as:
- Turn on unauthenticated log requests.
- Check logs for exploit attempts to help detect lateral movement (e.g., “../../../data”).
- Manually review logs for unauthorized sessions and exploit attempts, especially sessions originating from unexpected geo-locations.
- Run CISA’s IOC detection tool.
The DHS also recommends changing passwords for all Active Directory accounts, including administrator accounts and service accounts.
Finally, CISA provided more details in the advisory on POC exploitation steps, cyber threat behavior, and guidance on how to use the Post-Compromise Detection and IOC Detection Tools.