One of the ways in which many companies try to combat exploitation by hackers is through the use of a VPN (virtual private network). VPNs allow businesses to create what is essentially a private network where all the IP (internet protocol) addresses used by employees are hidden, thus allowing users to conduct online activity that is virtually untraceable.
While software companies that offer VPNs put forth great effort to design their VPNs in such as way as to be untouchable by hackers, occasionally vulnerabilities in their software are discovered. In the case of Pulse Secure's popular Connect Secure and Policy Secure products, bugs were reported as early as April, 2019.
In this post, we will outline the type of vulnerabilities discovered in these products, why these issues leave a company particularly vulnerable, as well as discuss the only solution available to resolve the issue.
How a Hacker Exploits Pulse Secure VPNs
According to the CISA (the Cyber Security and Infrastructure Security Agency), Pulse VPNs contain a vulnerability that an unauthorized remote user may exploit in order to gain access to all active VPN users, as well as their passwords in plain-text.
In addition, these remote attackers may steal data through remote arbitrary file access on a Pulse Connect Secure gateway, and/or they may deploy malware or ransomware after they successfully connect to the victim's VPN server.
This particular vulnerability has been quite serious for some affected companies, as nation-state sponsored hackers managed to encrypt their data and/or expose other sensitive data to the public. Some companies who refused to pay the demanded ransoms have experienced these exact scenarios.
To make matters worse, the hackers publicly published information on how to perform the exploitation thus providing even more fuel for large-scale scanning activity by other hackers searching for vulnerable systems.
A Slow User Response
While Pulse Secure issued an advisory regarding the issue on April 24, 2019 and released patches shortly thereafter for both their Connect Secure and Policy Secure versions, companies have been somewhat slow to respond.
Even several months later in August of 2019, 14,000 systems worldwide, with one third of the systems located in the United States, were found to be still vulnerable to the bug. Even in January of 2020, multiple corporate attacks from this same bug have been reported.
The Only Solution
Any company using either of Pulse's VPN products should check to make sure the patches sent out by Pulse Secure have been applied to their systems. Application of the patches are the only solution as there are no other workarounds or mitigation available.
Listed below are all the vulnerable software versions:
- Pulse Connect Secure 9.0R1 - 9.0R3.3
- Pulse Connect Secure 8.3R1 - 8.3R7
- Pulse Connect Secure 8.2R1 - 8.2R12
- Pulse Connect Secure 8.1R1 - 8.1R15
- Pulse Policy Secure 9.0R1 - 9.0R3.1
- Pulse Policy Secure 5.4R1 - 5.4R7
- Pulse Policy Secure 5.3R1 - 5.3R12
- Pulse Policy Secure 5.2R1 - 5.2R12
- Pulse Policy Secure 5.1R1 - 5.1R15
While most companies using these versions of Pulse software have been patched by now, the exploitation remains a particularly nasty one as the publicly available bug allows multiple hackers to deploy ransomware on systems that remain exposed.
Companies who have not yet applied the patch remain vulnerable to publication of sensitive corporate data and/or permanent encryption of their data if they refuse to pay the ransoms demanded by their attackers.
If your company uses either Pulse Connect Secure or Pulse Policy Secure VPN software and you are unsure as to whether this critical patch has been applied to your system, we can help.
Please contact us for further information about this exploitation and how to resolve it.